Changing encryption from passphrase to keyfile


b0mb

Recommended Posts

Allow me to actually answer the question. Converting from entering a passphrase to a keyfile is something I *just* had to do. The links above will tell you how to setup crypto just fine or even change passwords but you'll have to dig pretty good to find a way to easily go from passphrase to a file so I'll try to save you some trouble. In the end you need to have a file in the root of your ephemeral boot drive named keyfile that contains your passphrase. In my case I did this by creating a file on my USB stick and a line in my GO file to create a link to it as detailed below. Note that this is NOT SECURE if someone snatches your server. For me this is a temporary thing until I can go back to entering it by hand down the road. Others have come up with schemes to transfer the file in question via SFTP from other servers and it's also possible to use binary files like say a picture vs a text file - what I've detailed isn't that but you get the idea.

 

 

  • Thanks 3
Link to comment
  • 10 months later...
  • 9 months later...

I hope I dont necro this post too much. but I also have a super long passphrase and this server no longer has sensitive info although its nice that when a drive fails I can RMA it.

 

Could someone please provide some steps on how to change passphrase into a key-file or extract that key-file from the running system and then set it up so it auto boots.

 

I would be really happy because all the info above is old and I tried some stuff that didnt work so very anxious to screw up the server.

Link to comment
  • 1 year later...

I realize this is an old thread, but I just went through the process and hope i can help someone else in the future.

 

I tried using the fetch_key/delete_key from another thread on the forum, but apparently that broke a few versions of UnRaid ago. The below was pulled and compiled from other posts on the forum, spaceinvader videos linked above, plus some trial and error. I should note that I'm currently on 6.11.0.

 

I have a backup server using a passphrase to decrypt and wanted to switch it to a keyfile with the ultimate goal of having a keyfile on a second machine and pulling a copy at startup. This would only allow the server to auto start when the main server is online. To convert my passphrase into a keyfile, the only method I was able to use successfully was the following command in terminal

 

echo -n passphrase >/boot/keyfile

 

This put the new keyfile in boot but that isn't enough as the keyfile needs to be in /root/ upon startup to decrypt and autostart the array. However, root is deleted upon system shutdown. So I added a 'cp' line in the /boot/config/go file to copy this keyfile to root as the system starts.

 

#!/bin/bash

cp /boot/keyfile /root/keyfile

# Start the Management Utility
/usr/local/sbin/emhttp &

 

Once confirmed that the key works, I was able to move the keyfile off /boot as it is a BAD idea to have your key on the flashdrive that's plugged into the machine.  So I copied the keyfile on a second server in the 'keys' share and modified the above 'go' file mount the share, copy the keyfile to root, then unmount the drive.

 

#!/bin/bash

# cp /boot/keyfile /root/keyfile #commented out the previous method used to test the keyfile. Can remove this line if you have a working keyfile.

mkdir -p /keys
mount -t cifs -o user=username,password=userpassword,iocharset=utf8 //IPADDRESS/keys /keys
cp -f /keys/keyfile /root/keyfile
umount /keys
rm -r /keys

# Start the Management Utility
/usr/local/sbin/emhttp &

 

You'll need to modify the username, userpassword and IPADDRESS for what your settings.

 

You can also use the above code from the go file in a user script to run 'At Stopping of Array' so it'll be loaded when you start the array back up. I also created the below script to remove the /root/keyfile after the array has started, that way the keyfile isn't sitting in root while the machine is one (probably not necessary as it is removed automatically at shutdown/restart).

 

#!/bin/bash
sleep 120
rm /root/keyfile

 

Hope this helps.

  • Thanks 1
Link to comment
  • 1 year later...

I realize this is an old thread but I just wanted to add a few things from my experience today which someone might find useful. Thanks @Salzgablah for the detailed post above.

 

1. It's very important to follow the first step i.e. writing the keyfile using echo command. Any other means simply didn't work for me. If I did it via nano, unraid would refuse to unlock the array saying its an invalid keyfile.

 

2. Copying from remote share somehow always ended up with a keyfile that was having executable attribute (* next to it). I had to add "chmod -x /root/keyfile" in the script that goes into the go file after the file was copied.

 

 

  • Thanks 1
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.