Venting - Encryption and passwords (Why I wiped 20+TB)


Recommended Posts

A little bit about my setup before starting, used to be FreeNAS then I started using Ubuntu Server + Docker (ZFS) and that was great but I wanted a GUI to tie it all together more elegantly which unraid does.

 

Backed up to an external device, wiped ZFS share, redid it to unraid and last night after 3 days finally got to play with Docker since my media has been restored. I didn't use the GUI Dockers, just docker-compose and a bit of editing to match new mount paths.


Before I say this next part, I'll tell you right now I have a bad experience with keyfiles. I saved a lot of sensitive information to an encrypted file one time and lost my keyfile, I found it from a different drive that I had put away but I'm not sure if the attributes or metadata were wrong or anything but long and short of it is I lost the encrypted data. After that, I told myself never to bother with them again. That is why you will never see me using keyfiles in anything that I have. Just plain passwords are fine and more reliable for me.

 

Okay, so I had this encrypted share, encrypted BTRFS unassigned SSD which held my Docker containers and had to punch in my password everytime the machine booted up. I chose to test this to make sure things run smoothly when I just want to leave it alone. Dockers won't boot until I enter my password and mount the array, okay I do that. Now my docker files drop a symlink and create data in the folder I had specified (weird but whatever I can delete it and put the symlink back, the symlink maps \mnt\disk\ssd\appdata\dockers to \config so my docker-compose scripts won't need too much editing.

 

I realize what I need is some way to automatically mount my password protected array (which also mounts the unassigned SSD) so my docker containers never have that issue again starting up. I spent an hour trying to make it work, just copied the keyfile from /root out and used the same steps the guys are using for keyfile method but locally. I reboot, my new folder containing the key /unlock is gone and I've decided to quit fooling around and go to the forums to look for an answer. Get told its just a file and can be automated, I get tired of tinkering, wipe my array to XFS and because I lost my docker.img file (it was moved to SSD) had to re-install my USB. The USB drive now has activation issues which I'm holding on support for. This time, I'm doing normal XFS and normal BTRFS for SSD without any sort of encryption and I expect my docker containers to work exactly like they should.

 

...I still want that encryption though, maybe I'll play with it again because I'd hate to come back and want to change it over at this point. It just sucks that I wiped everything in order to simplify my array.

Link to comment
2 minutes ago, Trunkton said:

because I lost my docker.img file (it was moved to SSD) had to re-install my USB.

I don't use encryption, so can't / won't comment on everything else, but curious about this and this:

 

2 minutes ago, Trunkton said:

The USB drive now has activation issues

 

Link to comment
3 minutes ago, Squid said:

I don't use encryption, so can't / won't comment on everything else, but curious about this and this:

 

 

Docker.img and the VM files first seeded to the array were moved manually to unassigned SSD (instead of copied) which meant even with my wiped array I couldn't use Docker because that file wasn't present in the array or SSD any longer. I googled for the file to see if there was mention of it on the forums here with nothing, only way that I know to get it back is to redo things from scratch.

 

I power the system down, wipe the USB, redo it and get an error from the keyfile that my GUID isn't recognized anymore. I'm not sure if wiping it changed it or what but I will say this. I attempted to activate with the wrong key at first, but tried my current one (which I forgot I had) and same problem with activation. Now the license issue is in the hands of support for further action which I trust will be resolved it just sucks I have to wait it out now.

Link to comment
1 minute ago, Trunkton said:

Docker.img...were moved manually to unassigned SSD...I couldn't use Docker because that file wasn't present in the array or SSD any longer.

Not that it matters now, but all you would have had to do was change the location of the docker.img file in Settings - Docker (after stopping the service) to reflect where you moved it to.

Link to comment
1 minute ago, Squid said:

Not that it matters now, but all you would have had to do was change the location of the docker.img file in Settings - Docker (after stopping the service) to reflect where you moved it to.

It had been moved to the unassigned SSD which I had to wipe, there were no copies left unfortunately.

Link to comment

UPDATE: I rebooted and tried my key again, it works! I am not sure what happened, one attempt with my invalid key then it won't take the good key until you reboot. Just glad it works and I don't have to hold for support. Emailed to close the ticket.

Edited by Trunkton
Link to comment

I hate that I never tried this before wiping my array

>_<

Auto-mount works. I am gonna copy things back in, restore the symlink and try my containers out again. Only way this can all go sideways now is if after all that the docker containers attempt to boot before the array does or something which I didn't plan for.

 

Link to comment

If the encrypted data auto-unlocks what's the point of having it encrypted? My data is all encrypted and at each boot I give it the miles long password and the array starts up when I hit start. Unless someone has the password my data is useless to them. If it simply started up they need only take the array and press the power button - crypto defeated...

Link to comment

Hey BLKMGK,

 

Thanks for commenting I see where you're coming from.

 

Two reasons:

-I get control of how that data is disseminated in case I choose to change it, something I do not get without encryption. Now I have the flexibility to put the password somewhere online, internal on the network or secondary USB called "Encryption Key" (Label maker n all).

-When a drive gets pulled for RMA, recycled, gifted or resold, I sleep a lot better knowing things are not wide open searchable.

 

I have a hell of a time with Dockers working on unRAID by having to manually do the unlock. The answer I suppose is prevent the Dockers from auto-start but then why am I trying to automate anything if I have to jump on the box to do everything after a power outage event for example (which do happen but the UPS is there to prevent the worst). If I'm away from the house, someone powers on the box I don't wanna have to spend 30 minutes with someone unfamiliar doing support to get content I may possibly want remote access to, back.

Edited by Trunkton
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.