Jump to content
SpaceInvaderOne

** VIDEO GUIDE ** How to securely autostart an encrypted unRAID array

92 posts in this topic Last Reply

Recommended Posts

This video is a tutorial showing how to 'fairly securely' auto start an encrypted unRAID array by hosting the keyfile on an ftps server online
or a local ftp server on your cell phone.

 

 

Share this post


Link to post

This is for those users who don't want the key to be stored locally on the unRAID server (it is only needed when starting the array).

 

I made a small variation, see here. The methods to obtain a remote key as explained by @gridrunner, need to be moved from the go file to the dedicated script "fetch_key".

 

Share this post


Link to post

I took the following approach to implement this using a free cloud solution:

 

1) signed up for a free account on https://sandstorm.io/ 

2) installed the "FileDrop"-App out of their "app market" (project itself is hosted here: https://github.com/zombiezen/filedrop/)

3) Uploaded the keyfile there

4) Generated a read-only Web-Key (Role "viewer") to access this from my Unraid box this returns you an access URL:  https://api-<someApiKey>.oasis.sandstorm.io#<someAuthToken> 

5) modified bonienl's fetch_key script to fetch the keyfile via 'curl -H 'Authorization: Bearer <someAuthToken>' -s https://api-<someApiKey>.oasis.sandstorm.io/file/keyfile > keyfile'

 

The <someApiKey> and <someAuthToken> are to be replaced with the aktual values seen in your access URL o.O

 

Works like a charm for me ... thanks for all the great ideas here :D

Share this post


Link to post
13 hours ago, Dirk_Platt said:

I took the following approach to implement this using a free cloud solution:

 

1) signed up for a free account on https://sandstorm.io/ 

2) installed the "FileDrop"-App out of their "app market" (project itself is hosted here: https://github.com/zombiezen/filedrop/)

3) Uploaded the keyfile there

4) Generated a read-only Web-Key (Role "viewer") to access this from my Unraid box this returns you an access URL:  https://api-<someApiKey>.oasis.sandstorm.io#<someAuthToken> 

5) modified bonienl's fetch_key script to fetch the keyfile via 'curl -H 'Authorization: Bearer <someAuthToken>' -s https://api-<someApiKey>.oasis.sandstorm.io/file/keyfile > keyfile'

 

The <someApiKey> and <someAuthToken> are to be replaced with the aktual values seen in your access URL o.O

 

Works like a charm for me ... thanks for all the great ideas here :D

 

Nice :)

Share this post


Link to post

Thanks for the excellent video!

 

I adapted your idea to a file hosted on a nextcloud service, accessing the file with curl via webdav:

curl -u user:pass -o /root/keyfile https://mynextcloud.com/remote.php/webdav/keyfile

This works flawlessly. However, it takes a few seconds to complete (usually around 5-7s).

The thing is, this seems to be too long for unraid, as it tries to open the encrypted drives before the key is downloaded (that is my understanding at least). The array fails to autostart (see log below), but if i start it manually a few seconds later, it manages to open the key file, open the drives and start the array.

 

May 29 22:21:42 BackupTower emhttpd: shcmd (33): udevadm settle
May 29 22:21:43 BackupTower emhttpd: Opening encrypted volumes...
May 29 22:21:43 BackupTower emhttpd: shcmd (35): /usr/sbin/cryptsetup luksOpen /dev/md1 md1 --key-file /root/keyfile
May 29 22:21:43 BackupTower kernel: device-mapper: ioctl: 4.37.0-ioctl (2017-09-20) initialised: dm-devel@redhat.com
May 29 22:21:43 BackupTower root: Failed to open key file.
May 29 22:21:43 BackupTower emhttpd: shcmd (35): exit status: 1
May 29 22:21:43 BackupTower emhttpd: shcmd (37): /usr/sbin/cryptsetup luksOpen /dev/md2 md2 --key-file /root/keyfile
May 29 22:21:43 BackupTower root: Failed to open key file.
May 29 22:21:43 BackupTower emhttpd: shcmd (37): exit status: 1
May 29 22:21:43 BackupTower emhttpd: shcmd (39): /usr/sbin/cryptsetup luksOpen /dev/md3 md3 --key-file /root/keyfile
May 29 22:21:43 BackupTower root: Failed to open key file.
May 29 22:21:43 BackupTower emhttpd: shcmd (39): exit status: 1
May 29 22:21:43 BackupTower emhttpd: Missing encryption key
May 29 22:21:43 BackupTower kernel: mdcmd (40): stop
May 29 22:21:43 BackupTower kernel: md1: stopping
May 29 22:21:43 BackupTower kernel: md2: stopping
May 29 22:21:43 BackupTower kernel: md3: stopping
May 29 22:21:43 BackupTower avahi-daemon[9011]: Server startup complete. Host name is BackupTower.local. Local service cookie is *********

 

Any suggestion as to how i could either set a delay on the autostart or maybe force a new array start a few seconds later?

 

Any help would be much appreciated.

Share this post


Link to post

Look at my example of an event driven solution, a few posts up.

This allows to execute the script at the "right" time and it will wait for it to finish before proceeding.

 

Share this post


Link to post

Thats exacly what i did ... i followed bonienl's directions and just modified the fetch_key script with the appropriate command to fetch the key from my source. That works flawlessly.

 

The reason i didnt go for a nextcould solution is, that i had a bad Feeling replacing one secret stored on the unraid Server with another (your nextcloud username/password).

Share this post


Link to post
2 hours ago, bonienl said:

Look at my example of an event driven solution, a few posts up.

This allows to execute the script at the "right" time and it will wait for it to finish before proceeding.

 

Works like a charm! Thanks.

 

 

 

1 hour ago, Dirk_Platt said:

Thats exacly what i did ... i followed bonienl's directions and just modified the fetch_key script with the appropriate command to fetch the key from my source. That works flawlessly.

 

The reason i didnt go for a nextcould solution is, that i had a bad Feeling replacing one secret stored on the unraid Server with another (your nextcloud username/password).

I don't use my main nextcloud instance (which is hosted on unraid) to store the key, but rather a free provider https://woelkli.com/en where i only keep a duplicati encrypted backup of some stuff. I'm aware it's not an ideal solution, but it will do for my needs.

 

 

Share this post


Link to post
35 minutes ago, Lynxphp said:

Works like a charm! Thanks.

 

 

 

I don't use my main nextcloud instance (which is hosted on unraid) to store the key, but rather a free provider https://woelkli.com/en where i only keep a duplicati encrypted backup of some stuff. I'm aware it's not an ideal solution, but it will do for my needs.

  

 

 

I think i understood what you were doing ... but instead of storing the secret Keyfile on the unraid Server, now you have your credentials to access your free Provider nextcloud storage written in plain text in the "curl -u ..." Statement (within the fetch_key script). Thats what i meant with "replacing one secret with another".

 

But if thats fine for your needs, im the last one to complain :)

 

Greetings, Dirk

Share this post


Link to post

I''ve seen some very well thought out ideas here for starting encrypted arrays, but I haven't seen any discussion of some very strongly supported and well reputed 2 factor authentication systems like Google Authenticator, or Authy.  Two factor authentication was first implemented by sending an unlock code via cell text message, but spoofing cell text messages have not proven as unhackable as hoped.

 

I'll focus on Authy as it is my current solution but you might also want to look at Starling and Duo Security too.  Authy is 2 factor authentication supporting Android, iOS, Chrome apps, as well as Win32, Win64 and MacOS desktop solutions.  Authy creates a 6 digit random ever changing number for each service you link to it.  The 6 digit number changes every 60 seconds.  To use, you tell google that you want to set up 2 factor authentication, and then create an Authy secure entry that matches the google account.  Then you can have Google force you to enter the random 6 digit number every time you login, along with your password, or more infrequently such as every time you reboot.  (this is configurable based on your paranoia level).  The nice thing about Authy, is that it works without needing cell phone coverage as it is fully offline once set up.

 

I have changed stuff I want more secure over to Authy.   Facebook, gMail, hotmail, Amazon, Digital Ocean,  twitter,  AWS, Teamviewer etc now all support this approach.  Why Bank of America, Chase etc still don't support a system like this is beyond me. 

 

I have the Authy app on my phone protected by my fingerprint.  If you are wanting more flexibility, you can have Authy replicate to another device (say a Chrome browser or desktop) so that if you lose a device, you can still manage the account and unregister the lost device.

 

Could we lock down the unRaid encryption keyfile for encrypted array startup and only have it divulged based on a successful Authy 2 factor authentication challenge?

Edited by tr0910

Share this post


Link to post
10 hours ago, nuhll said:

Sorry, but isnt that also not that secure? I mean 6 digits?

 

Yes - with 1 miljon combinations it's quick to test a huge number of configurations to find one that works. It doesn't matter much that the receiver randomizes a new number every 60 seconds if it's possible to perform many tests per second.

 

Let's say a test takes 1 ms. Then 60000 numbers can be tested in a minute.

So testing the first 60000 numbers again and again would every minute give a 1/17 chance to try the correct code.

 

So a server that only relies on a 6-digit number needs to force a long delay between each test. And even then, the probability of hacking the 6 digit number will be millions of millions of times easier than attacking the actual crypto. 2FA is intended to be used together with some other security - not as the only security - that's the reason for the name two-factor authentication.

Share this post


Link to post

We would never want the 6 digit code being treated as a password. Of course it's not secure. But having it combined with an approved key file in classic 2fa way would be better than just the key file with no 2fa.

 

 

Share this post


Link to post

I understaned it this way he used the 6 digits to protect his accounts? But ofc, more security is always good.

 

To encrypt, do all data need to be deleted?

 

I would really like to encrypt my whole unraid system and only be bootable with e.g. smartphone near, so if "someone" takes the server, it cant be accessed.

 

Or maybe a rasperian pi somewhere in the wlan hidden somewhere.

 

Sounds like a good plan.

Edited by nuhll

Share this post


Link to post
1 hour ago, tr0910 said:

We would never want the 6 digit code being treated as a password. Of course it's not secure. But having it combined with an approved key file in classic 2fa way would be better than just the key file with no 2fa.

Just that if I'm allowed to make 1000 2FA tests/second I'll have access to the key within a couple of minutes. 2FA needs to be complemented with some form of timed blacklist - so minutes of blocking after every three failed attempts.

 

But the problem here is that if the 2FA is used as "is it ok to unlock", then the server must have access to the key  + passphrase already and just adds a manual "acknowledge" step.

 

It would be better if a phone contains an app that stores the passphrase.

So the server itself computes a 2FA and sends to your phone.

Your phone verifies the 2FA and if not ok (within +/- one time slots) opens a popup informing about failed attempt from unRAID server.

If 2FA test ok instead opens a popup asking "ok to unlock the unRAID key?".

If you press ok, then the phone sends out the passphrase to unlock the key.

 

Then the phone only includes a 2FA key and a passphrase.

And the unRAID server only includes an encrypted crypto key and a 2FA key.

You need to hack both sides to get access to the unencrypted disk key.

Or you need to loop enough 2FA attempts while the phone paces how many answers/minute it will allow.

Share this post


Link to post

Yep, I want to make sure that if by some strange bit of fate that the key is compromised, that the 2fa keeps them locked out.  The timing you suggest would do it.  And there could be a ramping up of the timing, after 3 sets of 3 failures, the server is locked for a few hours. 

 

This logic would have to be baked in very tightly, as you wouldn't want someone just changing the server bootup "go" file and defeating the security.

 

Share this post


Link to post
1 hour ago, tr0910 said:

Yep, I want to make sure that if by some strange bit of fate that the key is compromised, that the 2fa keeps them locked out.  The timing you suggest would do it.  And there could be a ramping up of the timing, after 3 sets of 3 failures, the server is locked for a few hours. 

 

This logic would have to be baked in very tightly, as you wouldn't want someone just changing the server bootup "go" file and defeating the security.

 

 

 

But remember that if all of your logic is on your unRAID server, then you have all that is needed to unlock on the server. If I unplug the USB stick, then I don't need to care about any 2FA since the encryption key is on the stick - and if you use a passphrase to unlock the encryption key then that passphrase is also on the stick. And if I find a hole in your network and manages to connect over SSH, then I don't need to unplug the USB stick to retrieve the required information to mount your array. Same issue if you happen to share your flash device over SMB.

 

Your 2FA ends up just being a slightly complicated way of saying "I agree" before mounting the array.

 

A good solution should allow someone to walk away with your machine and still not have access to any material that allows them to unlock any disks. That's why you would want the passphrase for decrypting the LUFS key file stored on your phone or some other device.

Share this post


Link to post

My biggest concern is would be if someone takes the server with them.

 

So if i put a rasp pi somewhere in the network (via wlan) they have the hardware, but cant do anything with it.


Can someone suggest a cheap pi with enclosure for dirty places?

Edited by nuhll

Share this post


Link to post
12 minutes ago, nuhll said:

My biggest concern is would be if someone takes the server with them.

 

So if i put a rasp pi somewhere in the network (via wlan) they have the hardware, but cant do anything with it.


Can someone suggest a cheap pi with enclosure for dirty places?

 

There's only really a Pi Zero or Pi 3 depends on how much you want to spend.  All the enclosures are pretty similar.

Share this post


Link to post

Cheap as possible, but wlan. Just needs to run a SMB service and SSH.


Does the pi zero works for what i want to do? 

edit: doesnt seem to have wlan!?


Do you still need to format all your data to enable encryption? 

Edited by nuhll

Share this post


Link to post
2 hours ago, nuhll said:

Cheap as possible, but wlan. Just needs to run a SMB service and SSH.


Does the pi zero works for what i want to do? 

edit: doesnt seem to have wlan!?


Do you still need to format all your data to enable encryption? 

 

Dunno where you're looking but Pi Zero does have wifi

Share this post


Link to post
9 hours ago, CHBMB said:

 

Dunno where you're looking but Pi Zero does have wifi

There are multiple Pi Zero models!    The base (cheapest) one does not have WiFi.   The Pi Zero W is the one that has WiFi (and Bluetooth) support added ar a little additional cost.

Share this post


Link to post
3 hours ago, itimpi said:

There are multiple Pi Zero models!    The base (cheapest) one does not have WiFi.   The Pi Zero W is the one that has WiFi (and Bluetooth) support added ar a little additional cost.

 

You're right, forgot that, thanks! :$

Share this post


Link to post

Thanks. How good is the wifi? I mean, is it normal wifi, like, if i put my phone and test where wlan is working, will pi have the same results or is it worser? Has anyone exp with this small pis?

 

For my case would the small one perfect, because i can hide it perfect somewhere, but i could ofc just get the "better" one

Share this post


Link to post

 

1 hour ago, nuhll said:

Thanks. How good is the wifi? I mean, is it normal wifi, like, if i put my phone and test where wlan is working, will pi have the same results or is it worser? Has anyone exp with this small pis?

 

For my case would the small one perfect, because i can hide it perfect somewhere, but i could ofc just get the "better" one

Whether the WiFi on the Pi Zero W is as good as your phone I have no idea, but my Pi Zero W connects via WiFi without problems from anywhere in my house so I would expect it would do the job for you.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.