Jump to content
bonienl

Encryption and auto-start

57 posts in this topic Last Reply

Recommended Posts

20 minutes ago, JohnS said:

 

All the methods above are using servers on the lan or remotely, which I can see the use case for, but could Unraid also use a similar method as Bitlockered Microsoft Windows, using an inserted USB flash drive which has the keyfile on it.

You can, but I don't really see the point. Physical access to the drives gives physical access to the USB key, and your encryption is no longer really helping you keep your data safe.

Share this post


Link to post

You would remove the key after booting/rebooting, as I do now with my windows machine, if I'm away from home my wife has a copy of the USB key so she can restart the Windows server, to access her files.

I'm looking to replace the windows machine with Unraid, so the same method would be helpful.

Share this post


Link to post

Hello all,

 

I just set a similar thing up, but unraid is slave of a "keyserver" that is a pi on my network.

 

Here is the script used on the pi. It can be called every minute by a cron task:

#!/bin/bash
server_adress="192.168.1.234"
server_mac="00:A1:B2:3C:4D:EF"
ssh_key="/root/.ssh/id_rsa"
decryption_key="/root/.ssh/keyfile"
decrypted_testfile="/mnt/disk4/.decrypted"
boot_time="140s"

echo ""
echo "Checking connectivity:"
if ping -c1 $server_adress >/dev/null; then
        echo "- Server online"
else
        echo "- Oups, server offline"
        echo "- Waking up server on lan"
		wakeonlan -i $server_adress $server_mac
        echo "- Waiting $boot_time for server to start"
        sleep $boot_time
fi
echo""
if ssh -q -i $ssh_key root@$server_adress [[ -f $decrypted_testfile ]]; then
        echo "- Decrypted"
        if ssh -q  -i $ssh_key root@$server_adress [[ -f /root/keyfile ]]; then
                echo "- Deleting decryption key"
                ssh -i $ssh_key root@$server_adress 'rm /root/keyfile'
        fi
else
        echo "- Encrypted"
        echo "- Sending decryption key.."
        scp -i $ssh_key $decryption_key root@$server_adress:/root/keyfile
        echo "- Starting emhttp.."
        echo "- Waiting for array.."
        ssh -i $ssh_key root@$server_adress '/usr/local/sbin/emhttp &'
        while ! ssh -q -i $ssh_key root@$server_adress [[ -f $decrypted_testfile ]];  do
                sleep 5
        done
        echo "- Array mounted and decrypted"
        echo "- Deleting decryption key"
        ssh -i $ssh_key root@$server_adress 'rm /root/keyfile'
        echo ""
        echo "All done!"
fi
echo ""

note: to be adapted according to your need. server.local to be replaced by unraid IP if not resolved.

 

If you have any comment/question, please tell/ask ;)

 

 

Edited by Reynald

Share this post


Link to post

 

This forum helped me a lot so I also wanted to share my "Unlocking" Processs for Unraid, maybe this is interesting to someone.

 

My goal was kind of a 2 Factor authentication with my phone to be able to react if UNRAID boots up when I am not home to see what happened.

Maybe you have some more ideas or please let me know if there are any security breaches/concerns as I am quite new to the linux world.

 

My go file looks:

#!/bin/bash
# Start the Management Utility
/usr/local/sbin/emhttp &

#Send Pushover Message that UNRAID started and needs the keyfile
curl -s \
  --form-string "token=TOKENID" \                                                                  
  --form-string "user=USERID" \
  --form-string "message=UNRAID STARTED" \
  --form-string "priority=1" \
  https://api.pushover.net/1/messages.json

 

This means after a reboot I get a Pushover notification on my Android.

The buzzword "UNRAID STARTED" triggers Tasker to close this Pushover Notification and instead show me a new notification with a button "UNLOCK" on it.

This Unlock button will trigger my OpenVPN to access my local network, then it will ssh into my Unraid server with the follwowing command:

 

ssh root@SERVER "pkill emhttpd && echo -n 'YOUR-KEY-HERE' > /root/keyfile && /usr/local/sbin/emhttp"

 

Especially on the last part with the pkill emhttpd I am not sure if this is a clean solution. Probably you have better ideas.

Share this post


Link to post

@dweb emhttp is not meant to be restarted AFAIK.

 

You might want to just move the the emhttp startup at the very end, while doing a loop - waiting for the keyfile before starting emhttp. This is untested and might have a nasty side effect of disabling the unRAID GUI until you've provided the keyfile.

while [ ! -f /root/keyfile ]; do
  sleep 60
done

Maybe the others know the CLI command for stopping and starting the array - so you can restart it instead.

Share this post


Link to post

I was further searching in the forum and ended up with the following code which my phone sends via ssh:

echo -n 'YOUR_KEY' > /root/keyfile \ 
&& CSRF=$(cat /var/local/emhttp/var.ini | grep -oP 'csrf_token="\K[^"]+') \
&& curl -k --data "startState=STOPPED&file=&csrf_token=${CSRF}&cmdStart=Start&luksKey=/root/keyfile" http://localhost/update.htm

First it generates the keyfile, then it reads the csrf token for webui, then it starts the array with the token and the keyfile.

Seems to work so far.

 

Share this post


Link to post
On 1/4/2020 at 2:02 AM, dweb said:

 

This forum helped me a lot so I also wanted to share my "Unlocking" Processs for Unraid, maybe this is interesting to someone.

 

My goal was kind of a 2 Factor authentication with my phone to be able to react if UNRAID boots up when I am not home to see what happened.

Maybe you have some more ideas or please let me know if there are any security breaches/concerns as I am quite new to the linux world.

 

My go file looks:


#!/bin/bash
# Start the Management Utility
/usr/local/sbin/emhttp &

#Send Pushover Message that UNRAID started and needs the keyfile
curl -s \
  --form-string "token=TOKENID" \                                                                  
  --form-string "user=USERID" \
  --form-string "message=UNRAID STARTED" \
  --form-string "priority=1" \
  https://api.pushover.net/1/messages.json

 

This means after a reboot I get a Pushover notification on my Android.

The buzzword "UNRAID STARTED" triggers Tasker to close this Pushover Notification and instead show me a new notification with a button "UNLOCK" on it.

This Unlock button will trigger my OpenVPN to access my local network, then it will ssh into my Unraid server with the follwowing command:

 

ssh root@SERVER "pkill emhttpd && echo -n 'YOUR-KEY-HERE' > /root/keyfile && /usr/local/sbin/emhttp"

 

Especially on the last part with the pkill emhttpd I am not sure if this is a clean solution. Probably you have better ideas.

 

Hey your tasker scipt sounds amazing! Any chance of sharing it?

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.