DaveDoesStuff Posted October 20, 2020 Share Posted October 20, 2020 14 hours ago, doron said: I looked at the UD code and indeed this is the case. When it issues the luksOpen command it expects a null (empty) response on stdout. When there's any (warning) message there, it assumes luksOpen failed and barfs. I suppose you can work around that by creating the directory /run/cryptsetup in your go script (permissions must be 700), which will eliminate the warning message and therefore the failure, but best would be for UD to fix that. EDIT: If you do want the workaround, just add this to your go script: mkdir -pm 700 /run/cryptsetup Thanks for the analysis and workaround, I appreciate that you provided it even tho its a UD issue. Quote Link to comment
nearcatch Posted December 7, 2020 Share Posted December 7, 2020 Just wanted to say thanks for the script; I used it on unRAID 6.9.0-beta35 and successfully swapped a keyfile. Was sweating a bit the first time I brought the array down and back up, but it went perfectly. Did all 15 data disks, 2 cache pool disks, and 2 nvme pool disks. Quote Link to comment
doron Posted December 7, 2020 Author Share Posted December 7, 2020 19 minutes ago, hasown said: Just wanted to say thanks for the script; I used it on unRAID 6.9.0-beta35 and successfully swapped a keyfile. Was sweating a bit the first time I brought the array down and back up, but it went perfectly. Did all 15 data disks, 2 cache pool disks, and 2 nvme pool disks. Thanks for reporting! Happy to hear it worked well for you. Quote Link to comment
Opawesome Posted May 21, 2021 Share Posted May 21, 2021 Hi @doron Many thanks for your contribution. I am planning on testing your script (better do it before I need it). I have started reviewing the code and saw the following line: VALID_CHARS='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789~!@#$%^&*-=+ ' Yet, the cryptsetup gitlab (https://gitlab.com/cryptsetup/cryptsetup/-/wikis/FrequentlyAskedQuestions#1-general-questions) states that: Quote PASSPHRASE CHARACTER SET: Some people have had difficulties with this when upgrading distributions. It is highly advisable to only use the 95 printable characters from the first 128 characters of the ASCII table, as they will always have the same binary representation. Those printable characters are listed here: https://en.wikipedia.org/wiki/ASCII#Printable_characters Are there any reasons why you excluded some of them? Like the underscore for example? Best, OP Quote Link to comment
Opawesome Posted May 21, 2021 Share Posted May 21, 2021 (edited) Just in case one would like to take an extra precautionary step and backup all LUKS headers before altering them with key changes, the following thread may be useful: Edited May 21, 2021 by Opawesome Quote Link to comment
doron Posted May 21, 2021 Author Share Posted May 21, 2021 2 hours ago, Opawesome said: Those printable characters are listed here: https://en.wikipedia.org/wiki/ASCII#Printable_characters Are there any reasons why you excluded some of them? Like the underscore for example? Limiting the passphrase characters in a very conservative way was a response to some difficulties people experienced when inputting these phrases via GUI, through various, not 100% compatible, versions of Unraid. I decided then to make it quite restrictive; can't recall whether the underscore was a deliberate omission or not. At any rate, you can enter any passphase you want, with any characters you like, by using a keyfile. 1 Quote Link to comment
J.E Reed Posted September 19, 2021 Share Posted September 19, 2021 10/10 Works as described. 1 Quote Link to comment
ionsneimameil Posted December 18, 2021 Share Posted December 18, 2021 (edited) Worked awesomely on 2 out of three unraid servers I maintain. Unfortunately on one server the password contains `!@` in the array key and since `!` is reserved in bash it creates issues changing the passphrase using the script. I didn't find a way to solve it, yet. Edit: in case you have the same issue, change `histchars` to something else. (For example `histchars=~`) Edited December 18, 2021 by ionsneimameil Quote Link to comment
doron Posted December 18, 2021 Author Share Posted December 18, 2021 Worked awesomely on 2 out of three unraid servers I maintain. Unfortunately on one server the password contains `!@` in the array key and since `!` is reserved in bash it creates issues changing the passphrase using the script. I didn't find a way to solve it, yet. Ouch. Shouldn't have happened. Will fix when I get a chance (on the road now). Workaround is to use key files. Place old and new passphrases in key files and do the swap. Mind the ending newline (see doc). Keep the "new" key file safe until you are sure you can unlock interactively!Sent from my tracking device using Tapatalk Quote Link to comment
doron Posted December 18, 2021 Author Share Posted December 18, 2021 10 hours ago, ionsneimameil said: Unfortunately on one server the password contains `!@` in the array key and since `!` is reserved in bash it creates issues changing the passphrase using the script. I seem to not be able to reproduce. Can you expand on what was the issue you saw? Can you paste the error here? Quote Link to comment
Towley Posted February 2, 2022 Share Posted February 2, 2022 Hi, what do I have to do if I get "invalid flags"? Quote root@Tower:/mnt/disks/VendorCo_ProductCode-part1# unraid-newenckey - /mnt/disks/VendorCo_ProductCode-part1/keyfile == unraid-newenckey v0.8, made for Unraid, change encrypted volumes' unlock key. @doron == Error: Invalid flag(s) specified. Now exiting. I am not sure what I am supposed to do... My current key is atm a Passphrase. Also, does this make the file itself to the key or does only the content of the file become the key? ie.: When I write into it "test1" and I loose this file, can I just make a new file with "test1" in it or not since the whole file is important? 1 Quote Link to comment
doron Posted February 3, 2022 Author Share Posted February 3, 2022 (edited) On 2/2/2022 at 4:18 PM, Towley said: Hi, what do I have to do if I get "invalid flags"? I am not sure what I am supposed to do... My current key is atm a Passphrase. What you bumped into is called "A Bug" 🙂 I got confused for a moment since you are posting about v0.8, which is not posted via this thread, but rather via a plugin - kind of work-in-progress that I started on September and never properly completed. At any rate, I just posted plugin v0.9, with that bug resolved. @Towley, could you please confirm that the problem is resolved? Thanks! On 2/2/2022 at 4:18 PM, Towley said: Also, does this make the file itself to the key or does only the content of the file become the key? ie.: When I write into it "test1" and I loose this file, can I just make a new file with "test1" in it or not since the whole file is important? The file content is your key once you use a file. If you put "test1" in it, that becomes your passphrase. One important thing to note is the ending newline. Type unraid-newenckey -h and read the last paragraph. Edited February 5, 2022 by doron Quote Link to comment
jocon53 Posted June 7, 2022 Share Posted June 7, 2022 Hey Is there a guide on how to use this thanks jim Quote Link to comment
doron Posted June 7, 2022 Author Share Posted June 7, 2022 52 minutes ago, jocon53 said: Hey Is there a guide on how to use this thanks jim root@Tower:~# unraid-newenckey -h == unraid-newenckey v0.9, made for Unraid, change encrypted volumes' unlock key. @doron == Usage: unraid-newenckey [current-key-file] [new-key-file] Both positional arguments are optional and may be omitted. If provided, each of them is either the name of a file (containing a passphrase or a binary key), or a single dash (-). For each of the arguments, if it is either omitted or specified as a dash, the respective key will be prompted for interactively. Note: if you provide a key file with a passphrase you later intend to use interactively when starting the array (the typical use case on Unraid), make sure the file does not contain an ending newline. One good way to do that is to use "echo -n", e.g.: echo -n "My Good PassPhrase" > /tmp/mykeyfile root@Tower:~# Quote Link to comment
jocon53 Posted June 7, 2022 Share Posted June 7, 2022 19 minutes ago, doron said: root@Tower:~# unraid-newenckey -h == unraid-newenckey v0.9, made for Unraid, change encrypted volumes' unlock key. @doron == Usage: unraid-newenckey [current-key-file] [new-key-file] Both positional arguments are optional and may be omitted. If provided, each of them is either the name of a file (containing a passphrase or a binary key), or a single dash (-). For each of the arguments, if it is either omitted or specified as a dash, the respective key will be prompted for interactively. Note: if you provide a key file with a passphrase you later intend to use interactively when starting the array (the typical use case on Unraid), make sure the file does not contain an ending newline. One good way to do that is to use "echo -n", e.g.: echo -n "My Good PassPhrase" > /tmp/mykeyfile root@Tower:~# do you know what dir it the passphrase need to be in ? thank you Quote Link to comment
doron Posted June 7, 2022 Author Share Posted June 7, 2022 6 minutes ago, jocon53 said: do you know what dir it the passphrase need to be in ? thank you Generally speaking, the passphrase is placed in /root/keyfile, but please read the official Unraid docs for the complete picture (there's UI to specify keyfile, etc.) Quote Link to comment
voidpointer Posted November 9, 2022 Share Posted November 9, 2022 Just used this script (installed via the "New Unlock Key for Encrypted Drives" plugin) and it worked great. Thank you!! 1 Quote Link to comment
Jclendineng Posted November 15, 2022 Share Posted November 15, 2022 Did unraid ever add this feature, or is this script still the recommended way to cycle keyfiles? I have not had to cycle yet but making sure I do it via best unraid practices Quote Link to comment
doron Posted November 15, 2022 Author Share Posted November 15, 2022 26 minutes ago, Jclendineng said: Did unraid ever add this feature, or is this script still the recommended way to cycle keyfiles? I have not had to cycle yet but making sure I do it via best unraid practices At the time of posting, this is still the way to go. Note the preferred method is to install the plugin (off Community Applications) rather than downloading from the top post in this thread. 1 Quote Link to comment
Jclendineng Posted February 14, 2023 Share Posted February 14, 2023 FYI this works great on latest Unraid 1 Quote Link to comment
neuer_unraider Posted February 26, 2023 Share Posted February 26, 2023 @doron can you add a flag to not replace the keyfile but rather add another one? I'd like to use a keyfile during normal operation but I am paranoid and would like to have an additional ultra-secure passphrase as a backup that I will remember that I definitely don't want to enter in because it takes a long time manually doing so. Quote Link to comment
doron Posted February 26, 2023 Author Share Posted February 26, 2023 54 minutes ago, neuer_unraider said: @doron can you add a flag to not replace the keyfile but rather add another one? I'd like to use a keyfile during normal operation but I am paranoid and would like to have an additional ultra-secure passphrase as a backup that I will remember that I definitely don't want to enter in because it takes a long time manually doing so. That's an interesting thought. It should be easy to add, however if I do that, it will also need A way to remove a key (after making sure you are holding one of the remaining keys - it is too easy to lock the door with the keys inside if you're not careful) A monitor on the concurrent number of keys. LUKS has a certain number of key slots, and a careless user (not you) might keep adding keys, filling up the slots. This is becoming even more hairy since there might be a different number of occupied slots in different HDDs. As you can see, there's more to take care of if we want to officially support multiple keys. And while it is all doable, and your suggested feature does make sense, I wonder how many people would actually use it. If other people want to weigh in on this, please comment in this thread. (Regardless, if you feel brave enough and/or fluent enough with Linux CLI, you can use "cryptsetup luksAddKey" unto all of your array drives (and cache, if applicable) to add the emergency key. Make sure you operate against /dev/mdN (for diskN) and not /dev/sdX. Be very careful 🙂 ) Quote Link to comment
Jclendineng Posted March 4, 2023 Share Posted March 4, 2023 I ran into an issue where I restarted unraid and I get "No key available with this passphrase.". This keyfile has worked for ages, and now it wont work, even manually, any ideas? Quote Link to comment
doron Posted March 5, 2023 Author Share Posted March 5, 2023 11 hours ago, Jclendineng said: I ran into an issue where I restarted unraid and I get "No key available with this passphrase.". This keyfile has worked for ages, and now it wont work, even manually, any ideas? Need some context - have you been using the script that's the subject of this thread? Quote Link to comment
Jclendineng Posted March 5, 2023 Share Posted March 5, 2023 (edited) 9 hours ago, doron said: Need some context - have you been using the script that's the subject of this thread? Yes, though I think I found the issue, or at least the most logical one. I don’t have ecc ram in my current server and a cosmic ray or random bit flip happened hosing my key slot. My key slot looks fine with the checker and the luks header looks fine so the only thing it could be is 1 bit maybe got changed causing my keyfile to fail. Unfortunate and I’ll have to format all my drives now but it happens and apparently in my research on this, happens a lot. If even 1 bit fails on the key slot the header is hosed. There are a couple threads on consistently backing up the header with mixed results, unfortunately I didn’t have a good header backup so all my data is gone. Sucks, but it’s price you pay for encryption, especially when it’s not fully supported by unraid. Future me will keep up to date header backups. Edit. I think it would be handy to have the script give the option to use more than 1 key slot when updating the key, instead of always deleting the old key by default, so if someone wanted to use a pass phrase and a key file for example they could. Unrelated to this but it would be a good addition to an already nice script (until unraid makes it officially a part of the gui as limetech has stated they will do) Edited March 5, 2023 by Jclendineng Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.