Jump to content

unraid-newenckey: Change your drive encryption unlock key

2 posts in this topic Last Reply

Recommended Posts

Drive encryption is one of Unraid's many good features. When you encrypt part or all of your array and cache, at some point you might end up wanting to change your unlock key. Just how often, would depend on your threat model (and on your level of paranoia).

At this time (6.8), Unraid does not have a UI for changing the unlock key.


Here is a small tool that will let you change your unlock key.

Each of the current and new unlock keys can either be a text password / passphrase, or a binary key file if you're into those (I am). 


Your array must be started to use this tool.


Essentially, the script validates the provided current key against your drives, and on all drives that can be unlocked with the current key, replaces it with the new one (in fact, it adds the new key to all of them, and upon success, removes the old key from all of them).

Important: The tool does not save the provided new (replacement) key on permanent storage. Make very sure you have it backed up, either in memory (...) or on some permanent storage (not on the encrypted array 😜 ). If you misplace the new key, your data is hosed.


Currently this script needs to be run from the command line. I may turn it into a plugin if there's enough interest (and time) - although I'm pretty sure Limetech has this feature on their radar for some upcoming version.


Usage:  unraid-newenckey [current-key-file] [new-key-file]

Both positional arguments are optional and may be omitted.

If provided, each of them is either the name of a file (containing a passphrase or a binary key), or a single dash (-). 


For each of the arguments, if it is either omitted or specified as a dash, the respective key will be prompted for interactively.

Note: if you provide a key file with a passphrase you later intend to use interactively when starting the array (the typical use case on Unraid), make sure the file does not contain an ending newline. One good way to do that is to use "echo -n", e.g.:

      echo -n "My Good PassPhrase" > /tmp/mykeyfile

This code has been tested, but no warranty is expressed or implied. Use at your own risk.

With the above out of the way, please report any issues.




Edited by doron

Share this post

Link to post

Very nice.  Similar to what we want to do, except I was also going to back up the LUKS headers first because I'm just that paranoid 😋

  • Like 1
  • Thanks 1

Share this post

Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.