LUKS password unassigned devices issue


tr0910

Recommended Posts

unRaid has never been sold as a secure OS that should be exposed directly to the internet.  However more and more of us are using the product in ways that the original security design never intended.  I don't share the panic regarding plain text passwords in /root that has been discussed here recently, however now that we are all paying attention, let me explain something that is a larger concern.

 

When unRaid introduced LUKS encrypted disks for the array, I immediately implemented on one server that could benefit from increased security.  I have been running encrypted disks without problem since that time.  This server also has a number of unassigned disks that are connected and disconnected from the server.  Thanks to @dlandon we managed to get unassigned devices to support LUKS drives as well.  But there is one huge problem.  The unassigned devices require that all disks use the array LUKS password or keyfile.  This is not good especially when we move disks from server to server.  You can only use LUKS encrypted unassigned disks if the array already has at least one disk encrypted.  And this password/keyfile must be the same on all servers where the disk is plugged into.  This should be looked at if further enhancements are being made to the encrypted file system.

Link to comment

The reason LUKS encrypted disks were implemented in UD is so a disk from the array could be mounted in UD and files copied.  It was never intended that the LUKS implementation would be used for encrypting disks that would then be moved back and forth to other computers.

 

I was asked by LT to only implement this feature and not get into separate pass phrases for the array and UD disks.  I agree with that, and with all the concerns over security being raised with the LUKS implementation, I won't do anything further.  I am not comfortable with implementing any security features in the UD plugin without LT's direction.

 

If you disagree with LT's position, you should raise your concern with them.

  • Upvote 1
Link to comment

@dlandon I never meant to suggest you were responsible for this issue.  At one time I heard that @limetech planned to integrate Unassigned Devices (UD) into the core product.  Perhaps this has been pushed out.  Heroes like yourself bear way too much burden from us greedy users.  (please, just one more tiny change to UD....  LOL)

 

Still the bottom line persists.  As I said earlier, (more of us are using the product in ways that the original security design never intended) and this results in demands for tightening up the security of the core product.  This is not a bad thing, but it does consume resources of our hero volunteers, and from Limetech.  I was only wanting to raise this issue while we were all paying attention.  I have been able to work with what we have for UD encryption.  I admit that now I use UD for more than I used to, and this results in me passing encrypted UD disks between servers.  Provided you accept the limitations, it works.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.