unraid-newenckey: Change your drive encryption unlock key

doron

By doron
in User Customizations

Recommended Posts

DaveDoesStuff Rookie

DaveDoesStuff

Posted
Posted
14 hours ago, doron said:

I looked at the UD code and indeed this is the case. When it issues the luksOpen command it expects a null (empty) response on stdout. When there's any (warning) message there, it assumes luksOpen failed and barfs.

 

I suppose you can work around that by creating the directory /run/cryptsetup in your go script (permissions must be 700), which will eliminate the warning message and therefore the failure, but best would be for UD to fix that.

 

EDIT: If you do want the workaround, just add this to your go script: 


mkdir -pm 700 /run/cryptsetup

 

Thanks for the analysis and workaround, I appreciate that you provided it even tho its a UD issue.

Link to comment
  • 1 month later...
  • Replies 67
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

doron
doron

Drive encryption is one of Unraid's many good features. When you encrypt part or all of your array and cache, at some point you might end up wanting to change your unlock key. Just how often, would de

limetech
limetech

Very nice.  Similar to what we want to do, except I was also going to back up the LUKS headers first because I'm just that paranoid 😋

Jabberwocky
Jabberwocky

Just wanted to say thank you for the script! Would be nice to have this functionality as well as a backup of the luks header on the regular UI though (maybe as an optional / password-protected part of

Posted Images

doron Enthusiast

doron

Posted
  • Author
Posted
19 minutes ago, hasown said:

Just wanted to say thanks for the script; I used it on unRAID 6.9.0-beta35 and successfully swapped a keyfile. Was sweating a bit the first time I brought the array down and back up, but it went perfectly. Did all 15 data disks, 2 cache pool disks, and 2 nvme pool disks.

Thanks for reporting! Happy to hear it worked well for you.

Link to comment
  • 5 months later...
Opawesome Contributor

Opawesome

Posted
Posted

Hi @doron

 

Many thanks for your contribution. I am planning on testing your script (better do it before I need it).

 

I have started reviewing the code and saw the following line:

  

VALID_CHARS='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789~!@#$%^&*-=+ '

 

Yet, the cryptsetup gitlab (https://gitlab.com/cryptsetup/cryptsetup/-/wikis/FrequentlyAskedQuestions#1-general-questions) states that:

 

Quote

PASSPHRASE CHARACTER SET: Some people have had difficulties with this when upgrading distributions. It is highly advisable to only use the 95 printable characters from the first 128 characters of the ASCII table, as they will always have the same binary representation.

 

Those printable characters are listed here: https://en.wikipedia.org/wiki/ASCII#Printable_characters

 

Are there any reasons why you excluded some of them? Like the underscore for example?

 

Best,

OP

Link to comment
doron Enthusiast

doron

Posted
  • Author
Posted
2 hours ago, Opawesome said:

Those printable characters are listed here: https://en.wikipedia.org/wiki/ASCII#Printable_characters

 

Are there any reasons why you excluded some of them? Like the underscore for example?

Limiting the passphrase characters in a very conservative way was a response to some difficulties people experienced when inputting these phrases via GUI, through various, not 100% compatible, versions of Unraid. I decided then to make it quite restrictive; can't recall whether the underscore was a deliberate omission or not.

 

At any rate, you can enter any passphase you want, with any characters you like, by using a keyfile.

 

  • Thanks 1
Link to comment
  • 1 month later...
  • 2 months later...
ionsneimameil Noob

ionsneimameil

Posted
Posted (edited)

Worked awesomely on 2 out of three unraid servers I maintain. Unfortunately on one server the password contains `!@` in the array key and since `!` is reserved in bash it creates issues changing the passphrase using the script. I didn't find a way to solve it, yet. 

 

Edit:
in case you have the same issue, change `histchars` to something else. (For example `histchars=~`)

Edited by ionsneimameil
Link to comment
doron Enthusiast

doron

Posted
  • Author
Posted
Worked awesomely on 2 out of three unraid servers I maintain. Unfortunately on one server the password contains `!@` in the array key and since `!` is reserved in bash it creates issues changing the passphrase using the script. I didn't find a way to solve it, yet. 
Ouch. Shouldn't have happened. Will fix when I get a chance (on the road now).

Workaround is to use key files. Place old and new passphrases in key files and do the swap. Mind the ending newline (see doc). Keep the "new" key file safe until you are sure you can unlock interactively!

Sent from my tracking device using Tapatalk

Link to comment
doron Enthusiast

doron

Posted
  • Author
Posted
10 hours ago, ionsneimameil said:

Unfortunately on one server the password contains `!@` in the array key and since `!` is reserved in bash it creates issues changing the passphrase using the script.

I seem to not be able to reproduce. Can you expand on what was the issue you saw? Can you paste the error here?

Link to comment
  • 1 month later...
Towley Noob

Towley

Posted
Posted

Hi, what do I have to do if I get "invalid flags"?

 

Quote

root@Tower:/mnt/disks/VendorCo_ProductCode-part1# unraid-newenckey - /mnt/disks/VendorCo_ProductCode-part1/keyfile


== unraid-newenckey v0.8, made for Unraid, change encrypted volumes' unlock key. @doron ==


Error: Invalid flag(s) specified.

Now exiting.

 

I am not sure what I am supposed to do... My current key is atm a Passphrase.

 

Also, does this make the file itself to the key or does only the content of the file become the key?

ie.: When I write into it "test1" and I loose this file, can I just make a new file with "test1" in it or not since the whole file is important?

  • Thanks 1
Link to comment
doron Enthusiast

doron

Posted
  • Author
Posted (edited)
On 2/2/2022 at 4:18 PM, Towley said:

Hi, what do I have to do if I get "invalid flags"?

 

I am not sure what I am supposed to do... My current key is atm a Passphrase.

 

What you bumped into is called "A Bug" 🙂

I got confused for a moment since you are posting about v0.8, which is not posted via this thread, but rather via a plugin - kind of work-in-progress that I started on September and never properly completed.

At any rate, I just posted plugin v0.9, with that bug resolved.

@Towley, could you please confirm that the problem is resolved? Thanks!

 

On 2/2/2022 at 4:18 PM, Towley said:

Also, does this make the file itself to the key or does only the content of the file become the key?

ie.: When I write into it "test1" and I loose this file, can I just make a new file with "test1" in it or not since the whole file is important?

The file content is your key once you use a file. If you put "test1" in it, that becomes your passphrase. One important thing to note is the ending newline. 

Type unraid-newenckey -h and read the last paragraph. 

Edited by doron
Link to comment
  • 4 months later...
doron Enthusiast

doron

Posted
  • Author
Posted
52 minutes ago, jocon53 said:

Hey 

Is there a guide on how to use this 

thanks jim

 

  

root@Tower:~# unraid-newenckey -h


== unraid-newenckey v0.9, made for Unraid, change encrypted volumes' unlock key. @doron ==


Usage:  unraid-newenckey [current-key-file] [new-key-file]

Both positional arguments are optional and may be omitted.

If provided, each of them is either the name of a file (containing
a passphrase or a binary key), or a single dash (-).

For each of the arguments, if it is either omitted or specified as a dash,
the respective key will be prompted for interactively.

Note: if you provide a key file with a passphrase you later intend to use
interactively when starting the array (the typical use case on Unraid),
make sure the file does not contain an ending newline. One good way to do
that is to use "echo -n", e.g.:

      echo -n "My Good PassPhrase" > /tmp/mykeyfile


root@Tower:~#

 

Link to comment
jocon53 Noob

jocon53

Posted
Posted
19 minutes ago, doron said:

  

root@Tower:~# unraid-newenckey -h


== unraid-newenckey v0.9, made for Unraid, change encrypted volumes' unlock key. @doron ==


Usage:  unraid-newenckey [current-key-file] [new-key-file]

Both positional arguments are optional and may be omitted.

If provided, each of them is either the name of a file (containing
a passphrase or a binary key), or a single dash (-).

For each of the arguments, if it is either omitted or specified as a dash,
the respective key will be prompted for interactively.

Note: if you provide a key file with a passphrase you later intend to use
interactively when starting the array (the typical use case on Unraid),
make sure the file does not contain an ending newline. One good way to do
that is to use "echo -n", e.g.:

      echo -n "My Good PassPhrase" > /tmp/mykeyfile


root@Tower:~#

 

do you know what dir it the passphrase need to be in ? thank you 

Link to comment
doron Enthusiast

doron

Posted
  • Author
Posted
6 minutes ago, jocon53 said:

do you know what dir it the passphrase need to be in ? thank you 

Generally speaking, the passphrase is placed in /root/keyfile, but please read the official Unraid docs for the complete picture (there's UI to specify keyfile, etc.)

Link to comment
  • 5 months later...
doron Enthusiast

doron

Posted
  • Author
Posted
26 minutes ago, Jclendineng said:

Did unraid ever add this feature, or is this script still the recommended way to cycle keyfiles? I have not had to cycle yet but making sure I do it via best unraid practices :) 

At the time of posting, this is still the way to go. Note the preferred method is to install the plugin (off Community Applications) rather than downloading from the top post in this thread.

  • Like 1
Link to comment
  • 2 months later...
  • 2 weeks later...
doron Enthusiast

doron

Posted
  • Author
Posted
54 minutes ago, neuer_unraider said:

@doron can you add a flag to not replace the keyfile but rather add another one? I'd like to use a keyfile during normal operation but I am paranoid and would like to have an additional ultra-secure passphrase as a backup that I will remember that I definitely don't want to enter in because it takes a long time manually doing so.

That's an interesting thought. It should be easy to add, however if I do that, it will also need

  1. A way to remove a key (after making sure you are holding one of the remaining keys - it is too easy to lock the door with the keys inside if you're not careful)
  2. A monitor on the concurrent number of keys. LUKS has a certain number of key slots, and a careless user (not you) might keep adding keys, filling up the slots. This is becoming even more hairy since there might be a different number of occupied slots in different HDDs.

As you can see, there's more to take care of if we want to officially support multiple keys. And while it is all doable, and your suggested feature does make sense, I wonder how many people would actually use it.

If other people want to weigh in on this, please comment in this thread.

 

(Regardless, if you feel brave enough and/or fluent enough with Linux CLI, you can use "cryptsetup luksAddKey" unto all of your array drives (and cache, if applicable) to add the emergency key. Make sure you operate against /dev/mdN (for diskN) and not /dev/sdX. Be very careful 🙂 )

Link to comment
doron Enthusiast

doron

Posted
  • Author
Posted
11 hours ago, Jclendineng said:

I ran into an issue where I restarted unraid and I get "No key available with this passphrase.". This keyfile has worked for ages, and now it wont work, even manually, any ideas?

Need some context - have you been using the script that's the subject of this thread?

Link to comment
Jclendineng Explorer

Jclendineng

Posted
Posted (edited)
9 hours ago, doron said:

Need some context - have you been using the script that's the subject of this thread?

Yes, though I think I found the issue, or at least the most logical one. I don’t have ecc ram in my current server and a cosmic ray or random bit flip happened hosing my key slot. My key slot looks fine with the checker and the luks header looks fine so the only thing it could be is 1 bit maybe got changed causing my keyfile to fail. Unfortunate and I’ll have to format all my drives now but it happens and apparently in my research on this, happens a lot. If even 1 bit fails on the key slot the header is hosed. There are a couple threads on consistently backing up the header with mixed results, unfortunately I didn’t have a good header backup so all my data is gone. Sucks, but it’s price you pay for encryption, especially when it’s not fully supported by unraid. Future me will keep up to date header backups. 
 

Edit. I think it would be handy to have the script give the option to use more than 1 key slot when updating the key, instead of always deleting the old key by default, so if someone wanted to use a pass phrase and a key file for example they could. Unrelated to this but it would be a good addition to an already nice script (until unraid makes it officially a part of the gui as limetech has stated they will do)

Edited by Jclendineng
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing