** VIDEO GUIDE ** How to securely autostart an encrypted unRAID array

SpaceInvaderOne

By SpaceInvaderOne
in General Support

Recommended Posts

  • Replies 96
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

SpaceInvaderOne
SpaceInvaderOne

This video is a tutorial showing how to 'fairly securely' auto start an encrypted unRAID array by hosting the keyfile on an ftps server online or a local ftp server on your cell phone.  

limetech
limetech

If passphrase is "grass is green" then you can create a file like this:   echo -n "grass is green" >/root/keyfile

limetech
limetech

Absolutely not.  Here's how it works.  There are two ways to specify an encryption key: Using a passphrase.  In this case what you type is exactly what will be used for the key, without any ne

scubieman Enthusiast

scubieman

Posted
Posted
Isn’t the key file simply a text file containing the key you would otherwise enter via the GUI?    If so it should be trivial to create it manually.
I believe there is two types. One that uses a keyfile such as an image. The other is just text file containing passphrase.



Sent from my Pixel 2 XL using Tapatalk

Link to comment
itimpi Grand Master

itimpi

Posted
Posted (edited)
8 minutes ago, scubieman said:

I believe there is two types. One that uses a keyfile such as an image. The other is just text file containing passphrase.



Sent from my Pixel 2 XL using Tapatalk
 

I think they are effectively the same thing!    It is just the image variant has binary data so cannot be entered manually.    In both cases the content of the file is used as the key.

Edited by itimpi
  • Like 1
Link to comment
NewDisplayName Rising Star

NewDisplayName

Posted
Posted (edited)

you cant just open a texteditor and write the text there.... xDxDxDxD (as far as i know)

 

keyfile in unraid means like the whole thing (like when you open a .jpg in a texteditor)

 

I have a picture as my keyfile.

 

How to generate it out of the password itself, i guess thats something like 

 

-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: For info see http://www.gnupg.org

 

-----END PGP PUBLIC KEY BLOCK-----

 

maybe write a email to limetech and ask? I link him here, mabye he sees it @limetech

Edited by nuhll
Link to comment
itimpi Grand Master

itimpi

Posted
Posted
19 hours ago, 7hr08ik said:

Well, can someone check there keyfile and confirm.

 

If all i have to do is make a file with the password in it, and call it `keyfile` then thats an easy fix.

 

But seems too easy

I have checked on one of my test systems by creating an encrypted disk with a passphrase and it appears that the keyfile contents IS just the passphrase.   Note that there is no end-of-line in the file so the file terminates at the last character of my passphrase.

Link to comment
itimpi Grand Master

itimpi

Posted
Posted
48 minutes ago, 7hr08ik said:

Ok,

 

So, opened up kate, pasted in my passphrase, saved the file as `keyfile`

Tried opening the array using the keyfile, and no dice. Won`t work

 

I gonna guess its to do with the end-of-line. But not a clue about that.

 

It is critical that you. do NOT have an end-of-line character present or that will be treated as part of the key.  

Link to comment
7hr08ik Rookie

7hr08ik

Posted
Posted
10 minutes ago, itimpi said:

It is critical that you. do NOT have an end-of-line character present or that will be treated as part of the key.  

Hey,

 

I understand that I need to NOT have eol. But I just dont know how to do it. All i did was paste my passphrase into the file, click save and close.

I'll try with nano and see if that makes any difference

Link to comment
itimpi Grand Master

itimpi

Posted
Posted (edited)

I am not sure if nano will automatically add the end-of-line.   I used vi where I could control that.  

A quick check is to 'cat' the file.  If there is no end-of-line then the bash prompt ends up on the same line as the passphrase.

 

If you want the array to autostart then you are going to need to add an entry in the 'go' file to copy your saved keyfile to /root/keyfile

Edited by itimpi
Link to comment
itimpi Grand Master

itimpi

Posted
Posted
1 minute ago, 7hr08ik said:

Tried `cat`, and the output is all on 1 line

Sounds as if the file is correct then.   Have you made sure it has been copied to /root/keyfile before trying to start the array.

3 minutes ago, 7hr08ik said:

Also, vi is scary

I agree  x but I have been using it for so long now that it's use is almost instinctual 😁

Link to comment
7hr08ik Rookie

7hr08ik

Posted
Posted

Right, so far...

 

Created keyfile in kate + nano

    Used webUI to select keyfile from desktop through Firefox.

    Copied keyfile to /root

Checked 5 times passphrase in keyfile is definitely correct.

    End-of-line appears to be correct

For some reason, stopping the array is not enough, need to reboot server each time, to test.

    I know this because entering the normal passphrase after failed login with keyfile, will fail.

 

Surely there is a command in linux, to force print the currently used keyfile. I mean, up until 6.8.0-rc1 the keyfile was printed to /root/keyfile, and we were simply copying it to be used for this unlocking method. The new update stops emhttp from printing the file. So there`s got to be a command I can use in terminal and have the server print/create/write the keyfile it is currently using, on unlocked array, to disk so I can copy it?

 

Link to comment
7hr08ik Rookie

7hr08ik

Posted
Posted

Right,

 

-Server started and unlocked using normal passphrase, through firefox

-Phone given static IP on router

-Edited go file exactly as shown

    Although unsure as to which ` ' im supposed to use around the password (tried both)

    Attempted all possible combinations of ` ' and without, IP address is correct, file path is correct (tried several different paths)

-Logs don't show any attemp to access ftp let alone failed attempts for me to debug

 

Screw it, i'll stick to passwords. This shouldn't be this damn difficult.

Link to comment
7hr08ik Rookie

7hr08ik

Posted
Posted

Tried manually copying the keyfile to /root

Rebooted

No luck

 

Because the keyfile that was there, is no longer there???

  

root@Hal-9000:~# cp /boot/keyfile /root/keyfile
root@Hal-9000:~# ls
keyfile  mdcmd@
root@Hal-9000:~# 
Broadcast message from root@Hal-9000 (Sun Oct 27 14:23:05 2019):

The system is going down for reboot NOW!
Connection to 192.168.1.100 closed by remote host.
Connection to 192.168.1.100 closed.
rob@pop-os:~$ ssh [email protected]
[email protected]'s password: 
Linux 5.3.7-Unraid.
root@Hal-9000:~# ls
mdcmd@
root@Hal-9000:~#

 

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing