Encryption and auto-start


Recommended Posts

  • 2 months later...

Hi,

thanks for all the good information about this topic.

Currently I try to use it with the "next" Unraid 6.9.0-rc2 release.

Its not working for me, therefore I wanted to ask if anyone has already tried this.

Maybe the problem is about the event folder:

ls -la /usr/local/emhttp/webGui/event/
drwxr-xr-x 2 root root   60 Aug 31  2018 array_started/
drwxr-xr-x 2 root root   60 Mar  2  2019 disks_mounted/
drwxrwxrwx 2 root root   60 Jan 27 23:42 started/
drwxrwxrwx 2 root root   60 Jan 27 23:42 starting/
drwxrwxrwx 2 root root   60 Jan 27 23:42 stopped/
drwxr-xr-x 2 root root   60 Aug 31  2018 stopping_array/
drwxr-xr-x 2 root root   60 Mar  2  2019 unmounting_disks/

 

Are the folder / event names changed to the new names: array_started, disks_mounted, stopping_array and unmounting_disks?

started, starting and stopped just containing the delete_key and fetch_key scripts I've copied to this location.

 

Thanks in advance

Namru

Link to comment

I'm also another Bitlocker transplant looking for a similar solution or even an auto-decrypt with a stored key. I'm not trying to keep out the NSA or hackers (a $5 wrench would beat the password out of a determined attacker anyway). I just don't want my files to be recoverable if a drive fails and I need to dispose of it.

Link to comment
  • 2 months later...
  • 3 months later...
On 7/13/2019 at 3:14 PM, beckp said:

I thought I'd share how you can enhanced the go file by reducing the six lines to a single command and it's not by using another script.  You can create a tar ball that contains the fetch_key and delete_key scripts. The go file calls the tar command. The tar ball files are extracted and event directories are created.

 

You MUST have a fully functioning auto-start that unlocks using the event directories. This works with FTP or SMB fetch_key scripts.

 

If you have changed the script names (fetch_key, delete_key) or changed the path where you store the scripts (/boot/custom/bin/), you will need to use your alternative names in the following procedure.

 

1) Create a tar ball call "events" from the existing files in the event directories.

 

At the terminal prompt enter the following:



tar -czf /boot/custom/bin/events -C /usr/local/ emhttp/webGui/event/starting/fetch_key emhttp/webGui/event/started/delete_key emhttp/webGui/event/stopped/fetch_key

2) Update the go file. Comment out the existing lines in order to test.

 

From:-



# auto unlock array
mkdir -p /usr/local/emhttp/webGui/event/starting
mkdir -p /usr/local/emhttp/webGui/event/started
mkdir -p /usr/local/emhttp/webGui/event/stopped
cp -f /boot/custom/bin/fetch_key /usr/local/emhttp/webGui/event/starting
cp -f /boot/custom/bin/delete_key /usr/local/emhttp/webGui/event/started
cp -f /boot/custom/bin/fetch_key /usr/local/emhttp/webGui/event/stopped

To:



# auto unlock array
# mkdir -p /usr/local/emhttp/webGui/event/starting
# mkdir -p /usr/local/emhttp/webGui/event/started
# mkdir -p /usr/local/emhttp/webGui/event/stopped
# cp -f /boot/custom/bin/fetch_key /usr/local/emhttp/webGui/event/starting
# cp -f /boot/custom/bin/delete_key /usr/local/emhttp/webGui/event/started
# cp -f /boot/custom/bin/fetch_key /usr/local/emhttp/webGui/event/stopped
tar -xzf /boot/custom/bin/events -C /usr/local/

3) Once you're confident that everything works, rebooting IS necessary. You can clean up by deleting the event scripts (fetch_key, delete_key). Your files are now stored in the "event" tar ball.  And, updating the go file by removing the commented lines and any references to "unlock".



# auto start array
tar -xzf /boot/custom/bin/events -C /usr/local/

I hope some of you may find this interesting.

 

Hello; thank you for taking the time to make this guide.. I am having some issues trying to make this work on unRaid version 6.9.2. I have my fetch_key as per below:

#!/bin/bash

if [[ ! -e /root/keyfile ]]; then
  mkdir -p /unlock
  mount -t cifs -o user=user,password='password',iocharset=utf8 //IP/share /unlock
  cp -f /unlock/keyfile /root/keyfile
  umount /unlock
  rm -r /unlock
fi

--

If i run each line in the shell it works and i can see the keyfile drop into /root.

 

I had this in my go before:

#!/bin/bash

# Auto Unlock Array
mkdir -p /usr/local/emhttp/webGui/event/starting
mkdir -p /usr/local/emhttp/webGui/event/started
mkdir -p /usr/local/emhttp/webGui/event/stopped
cp -f /boot/custom/bin/fetch_key /usr/local/emhttp/webGui/event/starting
cp -f /boot/custom/bin/delete_key /usr/local/emhttp/webGui/event/started
cp -f /boot/custom/bin/fetch_key /usr/local/emhttp/webGui/event/stopped

# Start the Management Utility
/usr/local/sbin/emhttp &


 

and then i ran your first tar command and then updated my go to this
 

#!/bin/bash

# Auto Unlock Array
tar -xzf /boot/custom/bin/events -C /usr/local/

# Start the Management Utility
/usr/local/sbin/emhttp &

 

but the array still does not auto start and i dont see the keyfile under /root

 

Any tips would be greatly appreciated please

Edited by iptvcld
Link to comment

I would think the ‘cp’ commands will need to be followed by a ‘chmod’ command to make the files ‘executable’?   For security reasons files on the flash cannot be stored with the ‘executable’ bit set so you need to set this after copying them into their final positions.

Link to comment
6 hours ago, iptvcld said:

Thank you for the reply. Ok so I need to run these 2 lines then run the tar command again? 

 

chmod a+x /usr/local/emhttpd/webGui/event/starting/fetch_key chmod a+x /usr/local/emhttpd/webGui/event/started/delete_key

 

After I run the tar command, I would only have that one command in the Go file as showed in the earlier post. 

 

I will try this out 

 

Ok so i deleted the event file that was made under the /boot/custom/bin location and ran the below 2 commands

chmod a+x /usr/local/emhttp/webGui/event/starting/fetch_key
-rwx--x--x 1 root root 255 Aug  7 16:23 fetch_key*

chmod a+x /usr/local/emhttp/webGui/event/started/delete_key
-rwx--x--x 1 root root 34 Aug  7 16:23 delete_key*

Even tried chmod 777 for both files
chmod 777 /usr/local/emhttp/webGui/event/started/delete_key
-rwxrwxrwx 1 root root 34 Aug  7 16:23 /usr/local/emhttp/webGui/event/started/delete_key*

The 2 files permission look ok now and then i ran this

tar -czf /boot/custom/bin/events -C /usr/local/ emhttp/webGui/event/starting/fetch_key emhttp/webGui/event/started/delete_key emhttp/webGui/event/stopped/fetch_key

and updated my go with this

#!/bin/bash

# Auto Unlock Array
tar -xzf /boot/custom/bin/events -C /usr/local/

# Start the Management Utility
/usr/local/sbin/emhttp &

Rebooted and still did not start, nor did the keyfile come across to /root/ - but if i ran the commans in the fetch file manual, the file comes down ok.

 

Any other thoughts as to what i am doing wrong here?

 

Aug  7 19:07:48 unRaid emhttpd: shcmd (21): udevadm settle
Aug  7 19:07:49 unRaid emhttpd: Opening encrypted volumes...
Aug  7 19:07:49 unRaid emhttpd: Missing encryption key

 UPDATE.....

After hours and hours the issue was that my fetch_key file had spurious CR characters and to fix that I ran the following:

sed -i -e 's/\r$//' /boot/custom/bin/fetch_key

This got rid of the CR chars (i had used Notepad++) i guess i should have used vi..

Edited by iptvcld
Link to comment
  • 5 months later...

Hi, do you have any idea why it doesn´t work for me?

 

fetch_key

#!/bin/bash

if [[ ! -e /root/keyfile ]]; then
  mkdir -p /unlock
  mount -t cifs -o user=tester,password='0987Tester',iocharset=utf8 //192.168.1.1/files /unlock
  cp -f /unlock/keyfile /root/keyfile
  umount /unlock
  rm -r /unlock
fi

 

go

#!/bin/bash
mkdir -p /usr/local/emhttp/webGui/event/starting
mkdir -p /usr/local/emhttp/webGui/event/started
mkdir -p /usr/local/emhttp/webGui/event/stopped
cp -f /boot/config/fetch_key /usr/local/emhttp/webGui/event/starting
cp -f /boot/config/delete_key /usr/local/emhttp/webGui/event/started
cp -f /boot/config/fetch_key /usr/local/emhttp/webGui/event/stopped

# Start the Management Utility
/usr/local/sbin/emhttp &

 

Is this correct?

When I connect with Windows to the Share the File is under the ip\files

Do I need to add the user and password differently?

 

The keyfile is correct.

Link to comment
  • 3 weeks later...

Hi Towley,

 

Before I answer your question,  your go file needs three additional lines. Add the following lines after the copy "cp" lines.

 

chmod a+x /usr/local/emhttp/webGui/event/tarting/fetch_key

chmod a+x /usr/local/emhttp/webGui/event/started/delete_key

chmod a+x /usr/local/emhttp/webGui/event/stopped/fetch_key

 

As for your question,  do I understand it correctly?

In your fetch script you have the share as "files". If it's "ip" you need to change it.  The copy line after the mount needs to be:

 

cp -f /unlock/files/keyfile /root/keyfile

 

Hope this helps.

Edited by beckp
typo
Link to comment
  • 2 weeks later...

As a Windows/Bitlocker users looking to move to unraid, I'm on the same page as all of you who want auto unlock. 

 

My question is why hasn't unraid enabled TPM support yet for this? 

 

Also one thing I have done for clients who need Encryption on PC/Servers running windows 10 but don't have TPM support is to use a USB drive with the key file on it and run a 15ft USB extension to another location while plugged into the server/PC and that drive can even be in a locked or hidden location. If someone is really there to "Steal" your hardware they are just going to unplug everything and go. They aren't going to want to track every cable to check. So with that in mind how would one go on modifying the scrips above for that? 

 

Otherwise my next option might be to do a VM and do the above and passthrough the USB drive since it seems passing though the TPM is more of a hassle. 

Link to comment
  • 2 months later...

In case anyone is interested...

 

I've been experimenting with using a Raspberry Pi on my local network to AutoStart an encrypted array.

 

I have a Raspberry Pi 4, running Raspberry Pi OS with SSH enabled.

 

I'm using the following command in my Go file:

 

#!/bin/bash
# Start the Management Utility
/usr/local/sbin/emhttp &
curl --insecure -u user:password sftp://192.168.1.99/keyfile -o /root/keyfile

 

Please let me know your thoughts. Thanks!

Edited by ssean
Link to comment
On 4/2/2018 at 3:01 PM, bonienl said:

A small variation if you want the key to be not locally present on the system when operational, the key is only needed during startup of the array.

 

In the go file the following is included before starting emhttp.

# auto unlock array
mkdir -p /usr/local/emhttp/webGui/event/starting
mkdir -p /usr/local/emhttp/webGui/event/started
mkdir -p /usr/local/emhttp/webGui/event/stopped
cp -f /boot/custom/bin/fetch_key /usr/local/emhttp/webGui/event/starting
cp -f /boot/custom/bin/delete_key /usr/local/emhttp/webGui/event/started
cp -f /boot/custom/bin/fetch_key /usr/local/emhttp/webGui/event/stopped

# start webGUI
/usr/local/sbin/emhttp &

The above makes use of the built-in event system of unRAID. These events are created:

starting : this event is called before the array is started and is used to fetch the key from a remote source

started :  this event is called after the array is fully operational and is used to delete the key locally.

stopped : this event is called after the array is stopped and is used to fetch the key again from a remote source

 

The script "fetch_key"  can be any method to obtain the key remotely, e.g. using a mount method or a FTP (wget) method as explained in the video of @gridrunner

The script "delete_key" is a simple file to delete the key locally.

 

fetch_key

#!/bin/bash

if [[ ! -e /root/keyfile ]]; then
  mkdir -p /unlock
  mount -t cifs -o user=name,password=password,iocharset=utf8 //192.168.1.99/index /unlock
  cp -f /unlock/somefile.png /root/keyfile
  umount /unlock
  rm -r /unlock
fi

delete_key

#!/bin/bash

rm -f /root/keyfile

You can start and stop the array as usual, and the key will be automatically fetched each time, provided that the remote service is up and running.

 

The files "fetch_key" and "delete_key" need to be stored on your flash device. I've created the folder /custom/bin to hold my custom scripts, but one is free to choose their own source folder, please update the lines in the go file accordingly.

After updating to Unraid 6.10, the scripts no longer working. Were there any changes to the events (starting/stopped/started) ?

 

Link to comment
On 5/17/2022 at 7:59 PM, ssean said:

In case anyone is interested...

 

I've been experimenting with using a Raspberry Pi on my local network to AutoStart an encrypted array.

 

I have a Raspberry Pi 4, running Raspberry Pi OS with SSH enabled.

 

I'm using the following command in my Go file:

 

#!/bin/bash
# Start the Management Utility
/usr/local/sbin/emhttp &
curl --insecure -u user:password sftp://192.168.1.99/keyfile -o /root/keyfile

 

Please let me know your thoughts. Thanks!

 

what is the difference between that and this one  ?

wget  --user=username --password=password' ftp://192.168.1.:21/keyfile -O /root/keyfile

 

this is what i have in my Pi Nano

Link to comment
20 hours ago, Thorsten said:

After updating to Unraid 6.10, the scripts no longer working. Were there any changes to the events (starting/stopped/started) ?

 

 

Although I have not upgraded to 6.10, I have not heard of any problems. What was your previous version? Starting with 6.8 the scripts (fetch_key & delete_key) stored on the flash drive do not have the executable attribute set for security reasons. When copied to the event folders they will not be executed since the attribute is not set.

 

Update your go file to add three change modes (chmod) command lines after the three copy (cp) command lines.

 


chmod a+x /usr/local/emhttp/webGui/event/starting/fetch_key
chmod a+x /usr/local/emhttp/webGui/event/started/delete_key
chmod a+x /usr/local/emhttp/webGui/event/stopped/fetch_key

 

Hope this helps.

Link to comment
3 hours ago, beckp said:

 

Although I have not upgraded to 6.10, I have not heard of any problems. What was your previous version? Starting with 6.8 the scripts (fetch_key & delete_key) stored on the flash drive do not have the executable attribute set for security reasons. When copied to the event folders they will not be executed since the attribute is not set.

 

Update your go file to add three change modes (chmod) command lines after the three copy (cp) command lines.

 


chmod a+x /usr/local/emhttp/webGui/event/starting/fetch_key
chmod a+x /usr/local/emhttp/webGui/event/started/delete_key
chmod a+x /usr/local/emhttp/webGui/event/stopped/fetch_key

 

Hope this helps.

 

Thank you for your reply. What I have found out so far is that the scripts are in the right place. The permission is also correct. the script is not executed and therefore the keyfile is not downloaded. 

If I run the script manually it works. 
Under Unraid 6.9.2 this has always worked I don't changed anything since the upgrade to Unraid 6.10.

 

Go File (In the file events are the scripts with the correct permission)

image.png.82b41faa6854e993bd6b9c3f53649e19.png

 

Script fetch_key after booting Unraid (with correct permission)

image.png.c988368e281ca25a395c19c387e94518.png

 

fetch_key script

image.thumb.png.2378b1b5967bc65979b1776c87fb204f.png

 

There is no keyfile after booting

image.png.a1c1017d26cc3154aeb39e3d9d6ae104.png

 

When I run the script manually it works. It also worked without problems under Unraid 6.9.2. Since Unraid 6.10 the script fetch_key is no longer executed.

image.thumb.png.d739fa7bdbbb05bdec88990c9263c235.png

 

Regards

Thorsten

Link to comment
On 4/2/2018 at 8:01 AM, bonienl said:

A small variation if you want the key to be not locally present on the system when operational, the key is only needed during startup of the array.

 

In the go file the following is included before starting emhttp.

# auto unlock array
install -D /boot/custom/bin/fetch_key /usr/local/emhttp/webGui/event/starting/fetch_key
install -D /boot/custom/bin/delete_key /usr/local/emhttp/webGui/event/started/delete_key
install -D /boot/custom/bin/fetch_key /usr/local/emhttp/webGui/event/stopped/fetch_key

# start webGUI
/usr/local/sbin/emhttp &

The above makes use of the built-in event system of unRAID. These events are created:

starting : this event is called before the array is started and is used to fetch the key from a remote source

started :  this event is called after the array is fully operational and is used to delete the key locally.

stopped : this event is called after the array is stopped and is used to fetch the key again from a remote source

 

The script "fetch_key"  can be any method to obtain the key remotely, e.g. using a mount method or a FTP (wget) method as explained in the video of @gridrunner

The script "delete_key" is a simple file to delete the key locally.

 

fetch_key

#!/bin/bash

if [[ ! -e /root/keyfile ]]; then
  mkdir -p /unlock
  mount -t cifs -o user=name,password=password,iocharset=utf8 //192.168.1.99/index /unlock
  cp -f /unlock/somefile.png /root/keyfile
  umount /unlock
  rm -r /unlock
fi

delete_key

#!/bin/bash

rm -f /root/keyfile

You can start and stop the array as usual, and the key will be automatically fetched each time, provided that the remote service is up and running.

 

The files "fetch_key" and "delete_key" need to be stored on your flash device. I've created the folder /custom/bin to hold my custom scripts, but one is free to choose their own source folder, please update the lines in the go file accordingly.

 

Has anyone had this process break once updating to 6.10 or other newer versions? I went from like 6.7 or 6.8 to 6.10.

 

It just doesn't work now but did consistently . I'm not seeing any message in the console, but I could just be missing it.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.