** VIDEO GUIDE ** How to securely autostart an encrypted unRAID array


Recommended Posts

1 hour ago, nuhll said:

Thanks. How good is the wifi? I mean, is it normal wifi, like, if i put my phone and test where wlan is working, will pi have the same results or is it worser? Has anyone exp with this small pis?

 

You could reverse the question and it would still be impossible to answer. I.e. if the RPi can connect - how could we know if your phone will also be able to connect given that different phones have better or worse antenna?

 

But if the goal is just to have the RPi as a hidden key locker, then you don't need a huge bandwidth. The biggest problem is that it needs power, so anyone searching for it can start by visiting all wall power connectors and then follow the cables.

Link to comment
1 hour ago, pwm said:

The biggest problem is that it needs power, so anyone searching for it can start by visiting all wall power connectors and then follow the cables.

 

Just keep it unplugged when not needed to boot the server. Just a random bit of electronics in the junk room.

 

Or, since it doesn't need much power, if you really wanted to be stealthy and secure you could mount it on your roof in a standalone box with battery and solar. Kind of a security through obscurity. Who would even think to investigate a solar battery charger control box, much less associate it with being the key to unlocking your server?

 

Or, piggy back it inside another device that normally hangs around plugged in, like a lamp or something.

 

The possibilities are endless.

Link to comment
5 minutes ago, jonathanm said:

 

The possibilities are endless.

 

Of course. But the #1 step is to realize that a RPi visibly connected to power (and especially if not connected to something else, like the HiFi system looking like a media player) will always be a prioritized target for someone really interested in the installed computer equipment. A WiFi-connected RPi can give important information about how to access the WiFi network and so give even more information about how to attack the rest of the network.

Link to comment

I mean it this way. e.g. i bought one of the first intel nucs, they have incredible crap wifi. Thats why i asked about exp with it. I never had a pi (bc i never found a usefull scenario for it).

 

I guess no one will ever come to the idea to search for the hidden key somewhere on my ground, power can be obtained. 100% secure and 100% automatic is not possible, i guess.

 

But i think its a good idea: cheap, easy, and adds a whole new security layer on top.

 

Only question left is, is it now possible to create encrypted array, without deleting everything?

 

 

Link to comment
1 hour ago, nuhll said:

Only question left is, is it now possible to create encrypted array, without deleting everything?

 

There is no support for in-place encryption. And since the LUKS encryption is block-level and sitting below the file system, it isn't something that is easy for Limes to implement - you need to shrink and move the file system since LUKS needs space for an additional header. And in the same way it isn't something that is easy for the LUKS coders to implement, since the different file systems has different needs. So it's basically the file system guys that should have to write the in-place upgrade support for their own file systems.

 

In the end, for the user it's similar to replacing the file system on the disks - you need to clear out the contents from a disk. Then you can reformat and at the same time add encryption. And then restore the data and start the process with the next disk.

Link to comment
1 hour ago, nuhll said:

I guess no one will ever come to the idea to search for the hidden key somewhere on my ground, power can be obtained. 100% secure and 100% automatic is not possible, i guess.

 

Only question left is, is it now possible to create encrypted array, without deleting everything?

 

Or you can have it located offsite at somebody else's house and connect over the internet for the key.  I wouldn't suggest wifi as that is only one more thing to go wrong.  But I don't see this as being an increased level of security for determined folks.  If they really want you data, they will find the rpi.  The only thing in you favor, is you may be able to destroy the rpi before they find it.  If this is good enough for you, see @gridrunner and @bonienl approach using your cell phone as the rpi.  Fundamentally the rpi doesn't add more security than  your cell would.

 

You can create your encrypted array by converting one disk at a time.  Thankfully @dlandon has updated unassigned devices plugin to support encrypted disks.  What you cannot do is format the disks via unassigned devices.  And you cannot covert a disk in-place without having a spare disk to copy to.  It really is the same process as converting your disks from ReiserFS to XFS or BTRFS file system.

 

 

Link to comment

My location  is perfect for hiding the rpi, i have multiple buildings, big garden, cat house... :P i could even put it underground, if wifi works.

 

Manual moving everything and encryption is not really a thing i wanna do... i guess i wait until limetech implement it. or someone write a script for it... :) free space/hdds i have atleast.

 

 

Edited by nuhll
Link to comment
  • 1 month later...
  • 1 month later...
On 4/5/2018 at 3:12 AM, Dirk_Platt said:

I took the following approach to implement this using a free cloud solution:

 

1) signed up for a free account on https://sandstorm.io/ 

2) installed the "FileDrop"-App out of their "app market" (project itself is hosted here: https://github.com/zombiezen/filedrop/)

3) Uploaded the keyfile there

4) Generated a read-only Web-Key (Role "viewer") to access this from my Unraid box this returns you an access URL:  https://api-<someApiKey>.oasis.sandstorm.io#<someAuthToken> 

5) modified bonienl's fetch_key script to fetch the keyfile via 'curl -H 'Authorization: Bearer <someAuthToken>' -s https://api-<someApiKey>.oasis.sandstorm.io/file/keyfile > keyfile'

 

The <someApiKey> and <someAuthToken> are to be replaced with the aktual values seen in your access URL o.O

 

Works like a charm for me ... thanks for all the great ideas here :D

What would the fetch_key (commands) file look like?

Link to comment
  • 3 months later...

I have a rpi zero wifi that is running vsftpd.  The key file is pulled from that when required.

A wifi rpi is easy to hide.  Won't stop law enforcement finding it though. To get this to work,  your go file on your flash drive will contain the plain text login info for the rpi ftp server. It's a shame unraid can't internally encrypt this info somehow!

 

The key file has to be backed up somewhere,  so I have the key file saved on a USB key (hidden) and on my back blaze account.

 

Remember to always have 3-2-1 backups of your key file! SD cards and USB sticks will not last forever and have a tendency to just fail without any warning.

 

A good 'key' would be the first 1k characters from an ebook. If you lose all key copies, you can buy the ebook and get back your key- hopefully.

 

I set this up because I was bord. A USB key inserted then removed when an array start is required would have been ok for my use case as I don't stop the array very often.

Edited by jj_uk
Link to comment
  • 9 months later...

Hey guys,

 

So, im a slight id10t :)

 

Updated to 6.8.0-rc3, and then to 6.8.0-rc4 2 days ago. Yesterday I finally got bored with having to go through the rigmarole of unlocking the server every time she boots up. (My system shuts down every night, thats just how i have it) Also, im using KeepassXC with stupid long crazy passwords.

 

Found this video, but.....

As of rc1 "emhttpd: do not write /root/keyfile if encryption passphrase provided via webGUI"

 

So how do i get the keyfile without rolling back to an old USB backup?

I know theres gonna be a command somewhere but my googlefu is broken.

Link to comment
1 hour ago, 7hr08ik said:

Found this video, but.....

As of rc1 "emhttpd: do not write /root/keyfile if encryption passphrase provided via webGUI"

Erm....

 

This update in 6.8.0.rc1 means the keyfile is not written. So i cant copy it to my phone as it is not written.

Im asking for the command to write it manually, but i cant seem to use my amazing googlefu

 

If someone couls hepl pme with this, then i could follow the rest of video and get things setup. Im hoping to do this without rolling back to a USB backup

 

Thanks

Edited by 7hr08ik
Link to comment
Erm....
 
This update in 6.8.0.rc1 means the keyfile is not written. So i cant copy it to my phone as it is not written.
Im asking for the command to write it manually, but i cant seem to use my amazing googlefu
 
If someone couls hepl pme with this, then i could follow the rest of video and get things setup. Im hoping to do this without rolling back to a USB backup
 
Thanks
I do it. I'm on rc4

Sent from my Pixel 2 XL using Tapatalk

Link to comment

Really? I get this....

 

Linux 5.3.7-Unraid.
Last login: Sat Oct 26 13:14:30 +0100 2019 on /dev/pts/0.
root@Hal-9000:~# cp /root/keyfile /boot/keyfile
cp: cannot stat '/root/keyfile': No such file or directory
root@Hal-9000:~#

 

So, i checked the changelog for 6.8.0-rc and found

 

emhttpd: do not write /root/keyfile if encryption passphrase provided via webGUI

Under Management section of rc1

Link to comment

No problem.

Maybe you had the file there from a previous use?

I've never gone through this, so will be creating the file for the first time.

 

I`m just trying to figure out if there`s a command to force print/write the currently used keyfile. As the new build seems setup to not write automatically

Link to comment

Yeah, we're editing the go file to bring the keyfile over from the FTP server.

But in order to do that, I need the keyfile in the first place to put onto the FTP, and from what I see, the new build has been tweaked to NOT write the keyfile when unlocking the array (from the webGUI atleast)

 

Is there another way to unlock the array? Through terminal perhaps, that would print the keyfile?

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.