b0mb Posted October 13, 2019 Share Posted October 13, 2019 Hi! I´ve just started to encrypt my xfs array using a passphrase. So i am wonderung what would be the exact steps to do when i want to use a keyfile instead of the passphrase? Thx in advance! Cheers! b0mb Quote Link to comment
BLKMGK Posted October 14, 2019 Share Posted October 14, 2019 Allow me to actually answer the question. Converting from entering a passphrase to a keyfile is something I *just* had to do. The links above will tell you how to setup crypto just fine or even change passwords but you'll have to dig pretty good to find a way to easily go from passphrase to a file so I'll try to save you some trouble. In the end you need to have a file in the root of your ephemeral boot drive named keyfile that contains your passphrase. In my case I did this by creating a file on my USB stick and a line in my GO file to create a link to it as detailed below. Note that this is NOT SECURE if someone snatches your server. For me this is a temporary thing until I can go back to entering it by hand down the road. Others have come up with schemes to transfer the file in question via SFTP from other servers and it's also possible to use binary files like say a picture vs a text file - what I've detailed isn't that but you get the idea. 3 Quote Link to comment
CSIG1001 Posted September 6, 2020 Share Posted September 6, 2020 how do you change your passphrase on the newest version, ? I thought limetech was going to implement this in the GUI? Quote Link to comment
BelgarionNL Posted July 4, 2021 Share Posted July 4, 2021 I hope I dont necro this post too much. but I also have a super long passphrase and this server no longer has sensitive info although its nice that when a drive fails I can RMA it. Could someone please provide some steps on how to change passphrase into a key-file or extract that key-file from the running system and then set it up so it auto boots. I would be really happy because all the info above is old and I tried some stuff that didnt work so very anxious to screw up the server. Quote Link to comment
Salzgablah Posted October 13, 2022 Share Posted October 13, 2022 I realize this is an old thread, but I just went through the process and hope i can help someone else in the future. I tried using the fetch_key/delete_key from another thread on the forum, but apparently that broke a few versions of UnRaid ago. The below was pulled and compiled from other posts on the forum, spaceinvader videos linked above, plus some trial and error. I should note that I'm currently on 6.11.0. I have a backup server using a passphrase to decrypt and wanted to switch it to a keyfile with the ultimate goal of having a keyfile on a second machine and pulling a copy at startup. This would only allow the server to auto start when the main server is online. To convert my passphrase into a keyfile, the only method I was able to use successfully was the following command in terminal echo -n passphrase >/boot/keyfile This put the new keyfile in boot but that isn't enough as the keyfile needs to be in /root/ upon startup to decrypt and autostart the array. However, root is deleted upon system shutdown. So I added a 'cp' line in the /boot/config/go file to copy this keyfile to root as the system starts. #!/bin/bash cp /boot/keyfile /root/keyfile # Start the Management Utility /usr/local/sbin/emhttp & Once confirmed that the key works, I was able to move the keyfile off /boot as it is a BAD idea to have your key on the flashdrive that's plugged into the machine. So I copied the keyfile on a second server in the 'keys' share and modified the above 'go' file mount the share, copy the keyfile to root, then unmount the drive. #!/bin/bash # cp /boot/keyfile /root/keyfile #commented out the previous method used to test the keyfile. Can remove this line if you have a working keyfile. mkdir -p /keys mount -t cifs -o user=username,password=userpassword,iocharset=utf8 //IPADDRESS/keys /keys cp -f /keys/keyfile /root/keyfile umount /keys rm -r /keys # Start the Management Utility /usr/local/sbin/emhttp & You'll need to modify the username, userpassword and IPADDRESS for what your settings. You can also use the above code from the go file in a user script to run 'At Stopping of Array' so it'll be loaded when you start the array back up. I also created the below script to remove the /root/keyfile after the array has started, that way the keyfile isn't sitting in root while the machine is one (probably not necessary as it is removed automatically at shutdown/restart). #!/bin/bash sleep 120 rm /root/keyfile Hope this helps. 1 1 Quote Link to comment
viper1190 Posted March 7 Share Posted March 7 I realize this is an old thread but I just wanted to add a few things from my experience today which someone might find useful. Thanks @Salzgablah for the detailed post above. 1. It's very important to follow the first step i.e. writing the keyfile using echo command. Any other means simply didn't work for me. If I did it via nano, unraid would refuse to unlock the array saying its an invalid keyfile. 2. Copying from remote share somehow always ended up with a keyfile that was having executable attribute (* next to it). I had to add "chmod -x /root/keyfile" in the script that goes into the go file after the file was copied. 1 1 Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.