pwm Posted June 2, 2018 Share Posted June 2, 2018 1 hour ago, nuhll said: Thanks. How good is the wifi? I mean, is it normal wifi, like, if i put my phone and test where wlan is working, will pi have the same results or is it worser? Has anyone exp with this small pis? You could reverse the question and it would still be impossible to answer. I.e. if the RPi can connect - how could we know if your phone will also be able to connect given that different phones have better or worse antenna? But if the goal is just to have the RPi as a hidden key locker, then you don't need a huge bandwidth. The biggest problem is that it needs power, so anyone searching for it can start by visiting all wall power connectors and then follow the cables. Quote Link to comment
JonathanM Posted June 2, 2018 Share Posted June 2, 2018 1 hour ago, pwm said: The biggest problem is that it needs power, so anyone searching for it can start by visiting all wall power connectors and then follow the cables. Just keep it unplugged when not needed to boot the server. Just a random bit of electronics in the junk room. Or, since it doesn't need much power, if you really wanted to be stealthy and secure you could mount it on your roof in a standalone box with battery and solar. Kind of a security through obscurity. Who would even think to investigate a solar battery charger control box, much less associate it with being the key to unlocking your server? Or, piggy back it inside another device that normally hangs around plugged in, like a lamp or something. The possibilities are endless. Quote Link to comment
pwm Posted June 2, 2018 Share Posted June 2, 2018 5 minutes ago, jonathanm said: The possibilities are endless. Of course. But the #1 step is to realize that a RPi visibly connected to power (and especially if not connected to something else, like the HiFi system looking like a media player) will always be a prioritized target for someone really interested in the installed computer equipment. A WiFi-connected RPi can give important information about how to access the WiFi network and so give even more information about how to attack the rest of the network. Quote Link to comment
NewDisplayName Posted June 2, 2018 Share Posted June 2, 2018 I mean it this way. e.g. i bought one of the first intel nucs, they have incredible crap wifi. Thats why i asked about exp with it. I never had a pi (bc i never found a usefull scenario for it). I guess no one will ever come to the idea to search for the hidden key somewhere on my ground, power can be obtained. 100% secure and 100% automatic is not possible, i guess. But i think its a good idea: cheap, easy, and adds a whole new security layer on top. Only question left is, is it now possible to create encrypted array, without deleting everything? Quote Link to comment
pwm Posted June 2, 2018 Share Posted June 2, 2018 1 hour ago, nuhll said: Only question left is, is it now possible to create encrypted array, without deleting everything? There is no support for in-place encryption. And since the LUKS encryption is block-level and sitting below the file system, it isn't something that is easy for Limes to implement - you need to shrink and move the file system since LUKS needs space for an additional header. And in the same way it isn't something that is easy for the LUKS coders to implement, since the different file systems has different needs. So it's basically the file system guys that should have to write the in-place upgrade support for their own file systems. In the end, for the user it's similar to replacing the file system on the disks - you need to clear out the contents from a disk. Then you can reformat and at the same time add encryption. And then restore the data and start the process with the next disk. Quote Link to comment
tr0910 Posted June 2, 2018 Share Posted June 2, 2018 1 hour ago, nuhll said: I guess no one will ever come to the idea to search for the hidden key somewhere on my ground, power can be obtained. 100% secure and 100% automatic is not possible, i guess. Only question left is, is it now possible to create encrypted array, without deleting everything? Or you can have it located offsite at somebody else's house and connect over the internet for the key. I wouldn't suggest wifi as that is only one more thing to go wrong. But I don't see this as being an increased level of security for determined folks. If they really want you data, they will find the rpi. The only thing in you favor, is you may be able to destroy the rpi before they find it. If this is good enough for you, see @gridrunner and @bonienl approach using your cell phone as the rpi. Fundamentally the rpi doesn't add more security than your cell would. You can create your encrypted array by converting one disk at a time. Thankfully @dlandon has updated unassigned devices plugin to support encrypted disks. What you cannot do is format the disks via unassigned devices. And you cannot covert a disk in-place without having a spare disk to copy to. It really is the same process as converting your disks from ReiserFS to XFS or BTRFS file system. Quote Link to comment
NewDisplayName Posted June 2, 2018 Share Posted June 2, 2018 (edited) My location is perfect for hiding the rpi, i have multiple buildings, big garden, cat house... i could even put it underground, if wifi works. Manual moving everything and encryption is not really a thing i wanna do... i guess i wait until limetech implement it. or someone write a script for it... free space/hdds i have atleast. Edited June 2, 2018 by nuhll Quote Link to comment
bphillips330 Posted July 9, 2018 Share Posted July 9, 2018 I need to get this setup on my Raspberri. Need to figure out how when I get the illusive free time! Quote Link to comment
sgt_spike Posted September 3, 2018 Share Posted September 3, 2018 On 4/5/2018 at 3:12 AM, Dirk_Platt said: I took the following approach to implement this using a free cloud solution: 1) signed up for a free account on https://sandstorm.io/ 2) installed the "FileDrop"-App out of their "app market" (project itself is hosted here: https://github.com/zombiezen/filedrop/) 3) Uploaded the keyfile there 4) Generated a read-only Web-Key (Role "viewer") to access this from my Unraid box this returns you an access URL: https://api-<someApiKey>.oasis.sandstorm.io#<someAuthToken> 5) modified bonienl's fetch_key script to fetch the keyfile via 'curl -H 'Authorization: Bearer <someAuthToken>' -s https://api-<someApiKey>.oasis.sandstorm.io/file/keyfile > keyfile' The <someApiKey> and <someAuthToken> are to be replaced with the aktual values seen in your access URL Works like a charm for me ... thanks for all the great ideas here What would the fetch_key (commands) file look like? Quote Link to comment
jj_uk Posted January 1, 2019 Share Posted January 1, 2019 (edited) I have a rpi zero wifi that is running vsftpd. The key file is pulled from that when required. A wifi rpi is easy to hide. Won't stop law enforcement finding it though. To get this to work, your go file on your flash drive will contain the plain text login info for the rpi ftp server. It's a shame unraid can't internally encrypt this info somehow! The key file has to be backed up somewhere, so I have the key file saved on a USB key (hidden) and on my back blaze account. Remember to always have 3-2-1 backups of your key file! SD cards and USB sticks will not last forever and have a tendency to just fail without any warning. A good 'key' would be the first 1k characters from an ebook. If you lose all key copies, you can buy the ebook and get back your key- hopefully. I set this up because I was bord. A USB key inserted then removed when an array start is required would have been ok for my use case as I don't stop the array very often. Edited January 1, 2019 by jj_uk Quote Link to comment
scubieman Posted October 25, 2019 Share Posted October 25, 2019 I did this but its saying wrong encrpytion key. I did cp /root/keyfile /boot/keyfile. then copied that from flash to my phone. so it should be copying from my phone? Quote Link to comment
NewDisplayName Posted October 25, 2019 Share Posted October 25, 2019 2 hours ago, scubieman said: I did this but its saying wrong encrpytion key. I did cp /root/keyfile /boot/keyfile. then copied that from flash to my phone. so it should be copying from my phone? How should unraid access your phone? Quote Link to comment
scubieman Posted October 25, 2019 Share Posted October 25, 2019 21 minutes ago, nuhll said: How should unraid access your phone? Nuhll. Thanks for the reply. I got it. Turns out the encryption key on my phone was empty. It works fine now that i corrected that. Quote Link to comment
7hr08ik Posted October 26, 2019 Share Posted October 26, 2019 Hey guys, So, im a slight id10t Updated to 6.8.0-rc3, and then to 6.8.0-rc4 2 days ago. Yesterday I finally got bored with having to go through the rigmarole of unlocking the server every time she boots up. (My system shuts down every night, thats just how i have it) Also, im using KeepassXC with stupid long crazy passwords. Found this video, but..... As of rc1 "emhttpd: do not write /root/keyfile if encryption passphrase provided via webGUI" So how do i get the keyfile without rolling back to an old USB backup? I know theres gonna be a command somewhere but my googlefu is broken. Quote Link to comment
scubieman Posted October 26, 2019 Share Posted October 26, 2019 Video will tell you how to get keyfile.Sent from my Pixel 2 XL using Tapatalk Quote Link to comment
7hr08ik Posted October 26, 2019 Share Posted October 26, 2019 (edited) 1 hour ago, 7hr08ik said: Found this video, but..... As of rc1 "emhttpd: do not write /root/keyfile if encryption passphrase provided via webGUI" Erm.... This update in 6.8.0.rc1 means the keyfile is not written. So i cant copy it to my phone as it is not written. Im asking for the command to write it manually, but i cant seem to use my amazing googlefu If someone couls hepl pme with this, then i could follow the rest of video and get things setup. Im hoping to do this without rolling back to a USB backup Thanks Edited October 26, 2019 by 7hr08ik Quote Link to comment
scubieman Posted October 26, 2019 Share Posted October 26, 2019 Erm.... This update in 6.8.0.rc1 means the keyfile is not written. So i cant copy it to my phone as it is not written. Im asking for the command to write it manually, but i cant seem to use my amazing googlefu If someone couls hepl pme with this, then i could follow the rest of video and get things setup. Im hoping to do this without rolling back to a USB backup ThanksI do it. I'm on rc4Sent from my Pixel 2 XL using Tapatalk Quote Link to comment
7hr08ik Posted October 26, 2019 Share Posted October 26, 2019 Really? I get this.... Linux 5.3.7-Unraid. Last login: Sat Oct 26 13:14:30 +0100 2019 on /dev/pts/0. root@Hal-9000:~# cp /root/keyfile /boot/keyfile cp: cannot stat '/root/keyfile': No such file or directory root@Hal-9000:~# So, i checked the changelog for 6.8.0-rc and found emhttpd: do not write /root/keyfile if encryption passphrase provided via webGUI Under Management section of rc1 Quote Link to comment
7hr08ik Posted October 26, 2019 Share Posted October 26, 2019 Unlocking my array via firefox from desktop Quote Link to comment
scubieman Posted October 26, 2019 Share Posted October 26, 2019 Did you start array before copying keyfile?Sent from my Pixel 2 XL using Tapatalk Quote Link to comment
7hr08ik Posted October 26, 2019 Share Posted October 26, 2019 Yes. Booted server > Opened firefox on desktop > logged in > Entered encryption password > unlocked array Then opened terminal from link in toolbar, and voila....problem Quote Link to comment
scubieman Posted October 26, 2019 Share Posted October 26, 2019 Not sure sorry. Worked for meSent from my Pixel 2 XL using Tapatalk Quote Link to comment
7hr08ik Posted October 26, 2019 Share Posted October 26, 2019 No problem. Maybe you had the file there from a previous use? I've never gone through this, so will be creating the file for the first time. I`m just trying to figure out if there`s a command to force print/write the currently used keyfile. As the new build seems setup to not write automatically Quote Link to comment
scubieman Posted October 26, 2019 Share Posted October 26, 2019 From what I know. Keyfile is wrote each time array is started. That's why you you must edit go file to copy over each time on bootSent from my Pixel 2 XL using Tapatalk Quote Link to comment
7hr08ik Posted October 26, 2019 Share Posted October 26, 2019 Yeah, we're editing the go file to bring the keyfile over from the FTP server. But in order to do that, I need the keyfile in the first place to put onto the FTP, and from what I see, the new build has been tweaked to NOT write the keyfile when unlocking the array (from the webGUI atleast) Is there another way to unlock the array? Through terminal perhaps, that would print the keyfile? Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.