Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.
Message added by doron,

This plugin is discontinued, as the functionality is available natively in Unraid. Thanks for using it over the years. The thread is left here for posterity.

unraid-newenckey: Change your drive encryption unlock key

Featured Replies

14 hours ago, doron said:

I looked at the UD code and indeed this is the case. When it issues the luksOpen command it expects a null (empty) response on stdout. When there's any (warning) message there, it assumes luksOpen failed and barfs.

 

I suppose you can work around that by creating the directory /run/cryptsetup in your go script (permissions must be 700), which will eliminate the warning message and therefore the failure, but best would be for UD to fix that.

 

EDIT: If you do want the workaround, just add this to your go script:


mkdir -pm 700 /run/cryptsetup

 

Thanks for the analysis and workaround, I appreciate that you provided it even tho its a UD issue.

  • 1 month later...
  • Replies 81
  • Views 22.2k
  • Created
  • Last Reply

Top Posters In This Topic

Most Popular Posts

  • Very nice.  Similar to what we want to do, except I was also going to back up the LUKS headers first because I'm just that paranoid 😋

  • Jabberwocky
    Jabberwocky

    Just wanted to say thank you for the script! Would be nice to have this functionality as well as a backup of the luks header on the regular UI though (maybe as an optional / password-protected part of

  • Just  want to say that I used this script and it worked as expected. Thanks!

Posted Images

Just wanted to say thanks for the script; I used it on unRAID 6.9.0-beta35 and successfully swapped a keyfile. Was sweating a bit the first time I brought the array down and back up, but it went perfectly. Did all 15 data disks, 2 cache pool disks, and 2 nvme pool disks.

  • Author
19 minutes ago, hasown said:

Just wanted to say thanks for the script; I used it on unRAID 6.9.0-beta35 and successfully swapped a keyfile. Was sweating a bit the first time I brought the array down and back up, but it went perfectly. Did all 15 data disks, 2 cache pool disks, and 2 nvme pool disks.

Thanks for reporting! Happy to hear it worked well for you.

  • 5 months later...

Hi @doron

 

Many thanks for your contribution. I am planning on testing your script (better do it before I need it).

 

I have started reviewing the code and saw the following line:

 

VALID_CHARS='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789~!@#$%^&*-=+ '

 

Yet, the cryptsetup gitlab (https://gitlab.com/cryptsetup/cryptsetup/-/wikis/FrequentlyAskedQuestions#1-general-questions) states that:

 

Quote

PASSPHRASE CHARACTER SET: Some people have had difficulties with this when upgrading distributions. It is highly advisable to only use the 95 printable characters from the first 128 characters of the ASCII table, as they will always have the same binary representation.

 

Those printable characters are listed here: https://en.wikipedia.org/wiki/ASCII#Printable_characters

 

Are there any reasons why you excluded some of them? Like the underscore for example?

 

Best,

OP

Just in case one would like to take an extra precautionary step and backup all LUKS headers before altering them with key changes, the following thread may be useful:

 

 

Edited by Opawesome

  • Author
2 hours ago, Opawesome said:

Those printable characters are listed here: https://en.wikipedia.org/wiki/ASCII#Printable_characters

 

Are there any reasons why you excluded some of them? Like the underscore for example?

Limiting the passphrase characters in a very conservative way was a response to some difficulties people experienced when inputting these phrases via GUI, through various, not 100% compatible, versions of Unraid. I decided then to make it quite restrictive; can't recall whether the underscore was a deliberate omission or not.

 

At any rate, you can enter any passphase you want, with any characters you like, by using a keyfile.

 

  • 1 month later...

10/10 Works as described.

  • 2 months later...

Worked awesomely on 2 out of three unraid servers I maintain. Unfortunately on one server the password contains `!@` in the array key and since `!` is reserved in bash it creates issues changing the passphrase using the script. I didn't find a way to solve it, yet. 

 

Edit:
in case you have the same issue, change `histchars` to something else. (For example `histchars=~`)

Edited by ionsneimameil

  • Author
Worked awesomely on 2 out of three unraid servers I maintain. Unfortunately on one server the password contains `!@` in the array key and since `!` is reserved in bash it creates issues changing the passphrase using the script. I didn't find a way to solve it, yet. 
Ouch. Shouldn't have happened. Will fix when I get a chance (on the road now).

Workaround is to use key files. Place old and new passphrases in key files and do the swap. Mind the ending newline (see doc). Keep the "new" key file safe until you are sure you can unlock interactively!

Sent from my tracking device using Tapatalk

  • Author
10 hours ago, ionsneimameil said:

Unfortunately on one server the password contains `!@` in the array key and since `!` is reserved in bash it creates issues changing the passphrase using the script.

I seem to not be able to reproduce. Can you expand on what was the issue you saw? Can you paste the error here?

  • 1 month later...

Hi, what do I have to do if I get "invalid flags"?

 

Quote

root@Tower:/mnt/disks/VendorCo_ProductCode-part1# unraid-newenckey - /mnt/disks/VendorCo_ProductCode-part1/keyfile


== unraid-newenckey v0.8, made for Unraid, change encrypted volumes' unlock key. @doron ==


Error: Invalid flag(s) specified.

Now exiting.

 

I am not sure what I am supposed to do... My current key is atm a Passphrase.

 

Also, does this make the file itself to the key or does only the content of the file become the key?

ie.: When I write into it "test1" and I loose this file, can I just make a new file with "test1" in it or not since the whole file is important?

  • Author
On 2/2/2022 at 4:18 PM, Towley said:

Hi, what do I have to do if I get "invalid flags"?

 

I am not sure what I am supposed to do... My current key is atm a Passphrase.

 

What you bumped into is called "A Bug" 🙂

I got confused for a moment since you are posting about v0.8, which is not posted via this thread, but rather via a plugin - kind of work-in-progress that I started on September and never properly completed.

At any rate, I just posted plugin v0.9, with that bug resolved.

@Towley, could you please confirm that the problem is resolved? Thanks!

 

On 2/2/2022 at 4:18 PM, Towley said:

Also, does this make the file itself to the key or does only the content of the file become the key?

ie.: When I write into it "test1" and I loose this file, can I just make a new file with "test1" in it or not since the whole file is important?

The file content is your key once you use a file. If you put "test1" in it, that becomes your passphrase. One important thing to note is the ending newline. 

Type unraid-newenckey -h and read the last paragraph. 

Edited by doron

  • 4 months later...

Hey 

Is there a guide on how to use this 

thanks jim

 

  • Author
52 minutes ago, jocon53 said:

Hey 

Is there a guide on how to use this 

thanks jim

 

 

root@Tower:~# unraid-newenckey -h


== unraid-newenckey v0.9, made for Unraid, change encrypted volumes' unlock key. @doron ==


Usage:  unraid-newenckey [current-key-file] [new-key-file]

Both positional arguments are optional and may be omitted.

If provided, each of them is either the name of a file (containing
a passphrase or a binary key), or a single dash (-).

For each of the arguments, if it is either omitted or specified as a dash,
the respective key will be prompted for interactively.

Note: if you provide a key file with a passphrase you later intend to use
interactively when starting the array (the typical use case on Unraid),
make sure the file does not contain an ending newline. One good way to do
that is to use "echo -n", e.g.:

      echo -n "My Good PassPhrase" > /tmp/mykeyfile


root@Tower:~#

 

19 minutes ago, doron said:

 

root@Tower:~# unraid-newenckey -h


== unraid-newenckey v0.9, made for Unraid, change encrypted volumes' unlock key. @doron ==


Usage:  unraid-newenckey [current-key-file] [new-key-file]

Both positional arguments are optional and may be omitted.

If provided, each of them is either the name of a file (containing
a passphrase or a binary key), or a single dash (-).

For each of the arguments, if it is either omitted or specified as a dash,
the respective key will be prompted for interactively.

Note: if you provide a key file with a passphrase you later intend to use
interactively when starting the array (the typical use case on Unraid),
make sure the file does not contain an ending newline. One good way to do
that is to use "echo -n", e.g.:

      echo -n "My Good PassPhrase" > /tmp/mykeyfile


root@Tower:~#

 

do you know what dir it the passphrase need to be in ? thank you 

  • Author
6 minutes ago, jocon53 said:

do you know what dir it the passphrase need to be in ? thank you 

Generally speaking, the passphrase is placed in /root/keyfile, but please read the official Unraid docs for the complete picture (there's UI to specify keyfile, etc.)

  • 5 months later...

Just used this script (installed via the "New Unlock Key for Encrypted Drives" plugin) and it worked great. Thank you!!

Did unraid ever add this feature, or is this script still the recommended way to cycle keyfiles? I have not had to cycle yet but making sure I do it via best unraid practices :) 

  • Author
26 minutes ago, Jclendineng said:

Did unraid ever add this feature, or is this script still the recommended way to cycle keyfiles? I have not had to cycle yet but making sure I do it via best unraid practices :) 

At the time of posting, this is still the way to go. Note the preferred method is to install the plugin (off Community Applications) rather than downloading from the top post in this thread.

  • 2 months later...

FYI this works great on latest Unraid

  • 2 weeks later...

@doron can you add a flag to not replace the keyfile but rather add another one? I'd like to use a keyfile during normal operation but I am paranoid and would like to have an additional ultra-secure passphrase as a backup that I will remember that I definitely don't want to enter in because it takes a long time manually doing so.

  • Author
54 minutes ago, neuer_unraider said:

@doron can you add a flag to not replace the keyfile but rather add another one? I'd like to use a keyfile during normal operation but I am paranoid and would like to have an additional ultra-secure passphrase as a backup that I will remember that I definitely don't want to enter in because it takes a long time manually doing so.

That's an interesting thought. It should be easy to add, however if I do that, it will also need

  1. A way to remove a key (after making sure you are holding one of the remaining keys - it is too easy to lock the door with the keys inside if you're not careful)
  2. A monitor on the concurrent number of keys. LUKS has a certain number of key slots, and a careless user (not you) might keep adding keys, filling up the slots. This is becoming even more hairy since there might be a different number of occupied slots in different HDDs.

As you can see, there's more to take care of if we want to officially support multiple keys. And while it is all doable, and your suggested feature does make sense, I wonder how many people would actually use it.

If other people want to weigh in on this, please comment in this thread.

 

(Regardless, if you feel brave enough and/or fluent enough with Linux CLI, you can use "cryptsetup luksAddKey" unto all of your array drives (and cache, if applicable) to add the emergency key. Make sure you operate against /dev/mdN (for diskN) and not /dev/sdX. Be very careful 🙂 )

I ran into an issue where I restarted unraid and I get "No key available with this passphrase.". This keyfile has worked for ages, and now it wont work, even manually, any ideas?

  • Author
11 hours ago, Jclendineng said:

I ran into an issue where I restarted unraid and I get "No key available with this passphrase.". This keyfile has worked for ages, and now it wont work, even manually, any ideas?

Need some context - have you been using the script that's the subject of this thread?

9 hours ago, doron said:

Need some context - have you been using the script that's the subject of this thread?

Yes, though I think I found the issue, or at least the most logical one. I don’t have ecc ram in my current server and a cosmic ray or random bit flip happened hosing my key slot. My key slot looks fine with the checker and the luks header looks fine so the only thing it could be is 1 bit maybe got changed causing my keyfile to fail. Unfortunate and I’ll have to format all my drives now but it happens and apparently in my research on this, happens a lot. If even 1 bit fails on the key slot the header is hosed. There are a couple threads on consistently backing up the header with mixed results, unfortunately I didn’t have a good header backup so all my data is gone. Sucks, but it’s price you pay for encryption, especially when it’s not fully supported by unraid. Future me will keep up to date header backups. 
 

Edit. I think it would be handy to have the script give the option to use more than 1 key slot when updating the key, instead of always deleting the old key by default, so if someone wanted to use a pass phrase and a key file for example they could. Unrelated to this but it would be a good addition to an already nice script (until unraid makes it officially a part of the gui as limetech has stated they will do)

Edited by Jclendineng

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.