Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.
Message added by doron,

This plugin is discontinued, as the functionality is available natively in Unraid. Thanks for using it over the years. The thread is left here for posterity.

unraid-newenckey: Change your drive encryption unlock key

Featured Replies

  • Author
10 minutes ago, Jclendineng said:

a cosmic ray or random bit flip happened hosing my key slot.

How many data drives are in your array? Just one?

  • Replies 81
  • Views 22.4k
  • Created
  • Last Reply

Top Posters In This Topic

Most Popular Posts

  • Very nice.  Similar to what we want to do, except I was also going to back up the LUKS headers first because I'm just that paranoid 😋

  • Jabberwocky
    Jabberwocky

    Just wanted to say thank you for the script! Would be nice to have this functionality as well as a backup of the luks header on the regular UI though (maybe as an optional / password-protected part of

  • Just  want to say that I used this script and it worked as expected. Thanks!

Posted Images

  • Author
19 hours ago, doron said:

How many data drives are in your array? Just one?

@Jclendineng, if I was unclear, that was a genuine question. Since you suspected a bit flip, that would be a viable hypothesis only if you have exactly one data drive in the array. Each drive has its own LUKS header; the chance of a bit flipping in all of them at once is practically zero.

53 minutes ago, doron said:

@Jclendineng, if I was unclear, that was a genuine question. Since you suspected a bit flip, that would be a viable hypothesis only if you have exactly one data drive in the array. Each drive has its own LUKS header; the chance of a bit flipping in all of them at once is practically zero.

I have 1 data drive, but I also have encrypted cache drive, with its own header, the keyfile doesn't work for either header anymore, but the header itself doesnt look corrupted meaning something must be wrong with the keyslot...in any case this is on me for not backing up the header.

 

Edit. 1 data, 1 parity and 1 cache.

Edited by Jclendineng

  • Author
1 hour ago, Jclendineng said:

I have 1 data drive, but I also have encrypted cache drive, with its own header, the keyfile doesn't work for either header anymore, but the header itself doesnt look corrupted meaning something must be wrong with the keyslot...in any case this is on me for not backing up the header.

If you have both a data drive and a cache drive, and both stopped being openable with your keyfile at the very same time, - I'd bet your key slots are fine. Chances are, either (a) you have some cabling issue or controller issue, or (b) something happened to the keyfile (have you backed it up? Perhaps use a backup copy).

I'd put lower chances on (c) someone did change the key on your drives or (d) some malware played nasty games with your LUKS headers.

Another thing - have you run "memtest" recently?

On 3/6/2023 at 1:23 PM, doron said:

If you have both a data drive and a cache drive, and both stopped being openable with your keyfile at the very same time, - I'd bet your key slots are fine. Chances are, either (a) you have some cabling issue or controller issue, or (b) something happened to the keyfile (have you backed it up? Perhaps use a backup copy).

I'd put lower chances on (c) someone did change the key on your drives or (d) some malware played nasty games with your LUKS headers.

Another thing - have you run "memtest" recently?

I thought memory (even though its relatively new ram...) but I pulled the drives, mounted them on a different server and attempted the unlock with the same results, so I have ruled out hardware (minus anything hardware related that might have done this)

  • Author
1 hour ago, Jclendineng said:

I thought memory (even though its relatively new ram...) but I pulled the drives, mounted them on a different server and attempted the unlock with the same results, so I have ruled out hardware (minus anything hardware related that might have done this)

So you believe both LUKS headers got corrupted simulateously?

Have you tried a backup copy of the keyfile?

17 hours ago, doron said:

So you believe both LUKS headers got corrupted simulateously?

Have you tried a backup copy of the keyfile?

Yes I have it in a private git repo that I call on startup to unlock, so its versioned and is the same. I also had a backup on a private cloud that also didn't work. Very odd but I'm assuming the simplest answer is ram issue or hardware issue, perhaps a controller is going bad, the board is pretty old, and its a gigabyte consumer board meaning anything possible :)

  • Author

Perhaps this calls for a new feature of this little tool - back up my LUKS headers. I'll take a look to see what it takes to do that reliably for the entire array. @Jclendineng

Edited by doron

  • 3 months later...

Hey, this 3 year old inactive account just want to say thanks.

 

Basically I setup encryption for one of my drives for the first time yesterday, copied shares over to it already, then panicked when I realized my past self must've forgotten to save the encryption key in my password manager because I can't see it there.

 

I think I remember the key... but I want a way to verify if it's correct without stopping the array because I'd be toast if it's incorrect (without making a back up first anyway).

 

Your tool did exactly what I needed to do and verified my memory serves me correctly today. I just exited on the prompt for new passphrase as soon as it verified my key was right. Big kudos to you, dude. You just saved my ass.

  • 1 month later...

hi! is it possible to use this tool just to verify my password without changing it? its been a while since i mounted and will have to hunt down my password, which i'm a bit unsure of... 😕

  • Author
15 minutes ago, Hugh Jazz said:

hi! is it possible to use this tool just to verify my password without changing it?

Sure; just run the tool as you normally would. Once asked for the old (current) password/key, provide it. The tool then tries this key on each available drive. If it can't open any of them, it will shout. If you're asked for the new key, it means the key is good; just hit ^C (ctrl-C) and leave.

18 minutes ago, doron said:

Sure; just run the tool as you normally would. Once asked for the old (current) password/key, provide it. The tool then tries this key on each available drive. If it can't open any of them, it will shout. If you're asked for the new key, it means the key is good; just hit ^C (ctrl-C) and leave.

thank you very much for the fast replay! looks like a neat tool!

 

if i choose a keyfile, can i just use any random file i want and store it on a usb stick or something?

  • Author
On 8/4/2023 at 12:37 AM, Hugh Jazz said:

if i choose a keyfile, can i just use any random file i want and store it on a usb stick or something?

Yes, any file, on the location of your choice. Make very sure though:

  1. It is accessible to Unraid during (re)starting the array
  2. It is kept intact, bit-wise, throughout the life of the array (do not trust a copy/paste of its contents, for example, etc.)
  3. You have a good backup copy in a safe place you remember... If you lose it, you lose your entire array and anything else that's encrypted using this keyfile.

This all may sound trivial, but - I've seen all of those happen. Better safe.

  • 6 months later...

Just wanted to say thank you for the script! Would be nice to have this functionality as well as a backup of the luks header on the regular UI though (maybe as an optional / password-protected part of the backup of the usb stick?).

 

For everybody who is looking for a way to change your passphrase:

  • Backup your luks header with this script (it's in the zip file and NOT in the post) to a location of your chosing (better safe than sorry..):

 

  • Install the script from this post from the app store called "New Unlock Key for Encrypted Drives" grafik.png.caf201f547f6c86391f49e51dd79030b.png

 

  • Run the script on the CLI to change your passphrase 913982475_Screenshot2024-02-11151459.thumb.jpg.73ec3f2048caf4d4d8e24751e3da5e6b.jpg

 

 

Edited by Jabberwocky

  • 2 weeks later...

Just went through this and had a bit of a scare; despite backups and testing, when I actually stopped the array nothing I did was successful getting it to start up again despite being super careful and confident that I had the right keyfile...

For whatever reason, before trying to fiddle with recovery measures, I decided to add the bits to the go file to fetch from a remote server and auto-start and reboot (all previously tested). And... it booted up perfectly fine straight into a started array.

That said, I would have loved a non-destructive option here (I almost went and did this all manually to just add the new key...) - as would my afternoon stress levels. In the end, all was well though. So thanks for a handy script.

  • Author

Thanks @_cjd_ for reporting this. I'm not sure I understand what actually went wrong? Why did the stress happen in the 1st place?

Sent from my tracking device using Tapatalk

1 hour ago, doron said:

Thanks @_cjd_ for reporting this. I'm not sure I understand what actually went wrong? Why did the stress happen in the 1st place?

I wish I knew. I changed the key, then ran the script again just through confirming the key (but without then replacing it); that all worked.

I then stopped the array and tried to start it; it failed (it didn't let me choose a passphrase or key until after it failed once, after which it prompted). At that point, selecting the keyfile did not allow the array to start. I tried sourcing the image from a few different places just in case one was unexpectedly corrupted (including manually copying from the remote host), none of them worked. I do probably get overly stressed about stuff like this (even with layers of backup options too)

I have no idea why rebooting changed anything, but it did; and just to be sure, I ran the script again (cancelling out before providing a new passphrase or keyfile) and indeed, it's passing with the keyfiles I was trying when things weren't working.

More than anything, I figured it was worth sharing in case anyone else runs up against the same odd behavior.

On the off chance it matters, this system is on 6.12.8

Edited by _cjd_

  • Author

@_cjd_some stress is certainly understandable in such situation 😉 

At any rate you may have bumped unto an Unraid bug (or feature).

It might be good to have the script recommend a server reboot once done.

  • 2 months later...

Hi,

 

today I wanted to change my passphrase and use it in the next step as an external keyfile.

At the moment I'm pasting the passphrase, which I've generated with 1Password, into the WebUI to unlock the array.

When I execute the script I get the following result:

root@Unraid-Srv01:~# unraid-newenckey


== unraid-newenckey v0.9, made for Unraid, change encrypted volumes' unlock key. @doron ==


Enter current key: *******************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************
*** Testing provided key against disks... disk1 (/dev/md1p1) ... done.

Error: Key provided as current does not open any of the encrypted devices.

Now exiting.
root@Unraid-Srv01:~# 

 

So the hassle begins o.O

I've tried a lot in the last 2-3 hours.

Copying the passphrase to a text-file and executing the script with 

 

unraid-newenckey /mnt/user/Backups/keyfile -

 

results in the same error.

 

Putting the keyfile to an external storage provider and downloading via wget on startup results in a similar error message (invalid keyfile). I've generated the keyfile with notepad++ under windows.

 

So I think it's a problem with my passphrase itself.

 

Echoing the passphrase to the keyfile in the unraid console shows more information:

 

 

root@Unraid-Srv01:/mnt/user/Downloads# echo -n 4v3ZJLEPTfykmcXgRaZFZzhTjDpHkb7RA7RGnkNm*cCw!N!fuPceTjXD@_Rk3ugpRyCBZNfdz86bg-XrMniBgMFEHn_d@YhZG8@-UkM6LJfH46uZ_D@C@tH8JiaTxsBG2v_uFc9Ncv!DMEabiE4fh.93BPEUWW2VYYFqiRasX.URKYLiXTaGfoy9_!gsW7aW!tUyNvbwX-HY47Gxq9-gHmwTcN8CpKKs2dX_YnNYKJTmiMMfGtCeEfqm4oxm9C-x66ihiq243iofrgPZKzPjnmnCa!4EAXBZuGtdy77-ucugbyFXCX2q7@Miav6ZYY-et7kTT_B-aENw!b_.!f- /Downloads/keyfile
-bash: !N!fuPceTjXD@_Rk3ugpRyCBZNfdz86bg: event not found

 

The passphrase showing here is the example part leading to the error.

In real life, the passphrase ist much longer and manually typing without an error into "cryptsetup luksChangeKey" isn't an option.

 

Does anyone have an idea how I can change the passphrase or do I have to reformat the harddrive ?

 

Greetings Tobi

 

 

Edited by skobix

  • Author

(EDITED: I misspoke below, now corrected for future readers)

First of all, if you have a working passphrase (i.e. you can unlock the array with your current key), do not reformat. No reason to - you have access to the encrypted array. We just need to figure out what's going on. 

 

22 hours ago, skobix said:

Copying the passphrase to a text-file and executing the script with 

 

unraid-newenckey /mnt/user/Backups/keyfile -

 

results in the same error.

That would depend on exactly how you copied your passphrase into the text file. Often has to do with the trailing newline char, but not always. Read on.

 

22 hours ago, skobix said:

 

Putting the keyfile to an external storage provider and downloading via wget on startup results in a similar error message (invalid keyfile). I've generated the keyfile with notepad++ under windows.

Ah. Probably not the best way to go about this 🙂 Line feeds, new lines, potato/potato. (Actually Notepad++ can be told to create Unix style files but never mind that).

 

22 hours ago, skobix said:

 

Echoing the passphrase to the keyfile in the unraid console shows more information:

 

 

root@Unraid-Srv01:/mnt/user/Downloads# echo -n 4v3ZJLEPTfykmcXgRaZFZzhTjDpHkb7RA7RGnkNm*cCw!N!fuPceTjXD@_Rk3ugpRyCBZNfdz86bg-XrMniBgMFEHn_d@YhZG8@-UkM6LJfH46uZ_D@C@tH8JiaTxsBG2v_uFc9Ncv!DMEabiE4fh.93BPEUWW2VYYFqiRasX.URKYLiXTaGfoy9_!gsW7aW!tUyNvbwX-HY47Gxq9-gHmwTcN8CpKKs2dX_YnNYKJTmiMMfGtCeEfqm4oxm9C-x66ihiq243iofrgPZKzPjnmnCa!4EAXBZuGtdy77-ucugbyFXCX2q7@Miav6ZYY-et7kTT_B-aENw!b_.!f- /Downloads/keyfile
-bash: !N!fuPceTjXD@_Rk3ugpRyCBZNfdz86bg: event not found

 

Okay. This is just because you have not quoted the string, and some characters trigger the shell's builtin functions. Not to worry. 

 

For starters, please try three things, in order of your own preference:

 

1. Use an editor on the Unraid Linux console to generate the keyfile. You can use vi or nano (probably the latter would be more accessible if you're less familiar with the Linux CLI). Save it, then try it with the unraid-newenckey tool.

 

2. Use the echo command above, but quoting your passphrase with single quotes. Like so:

echo -n '123My!Pass!Phrase?' > keyfile

 

3. If #2 above does not unlock, try the same command but drop the "-n" flag.

 

Chances are, one of these will work. Please report back (if it works, let me know which one it was).

Edited by doron

Hi doron,

 

thanks for your reply.

Unfortunately, none of your proposals worked.

 

1.

I tried nano and vi, inserted my passphrase, saved, checked back if the passphrase is inside the keyfile.

 

root@Unraid-Srv01:/mnt/user/Downloads# unraid-newenckey /mnt/user/Downloads/keyfile - 

== unraid-newenckey v0.9, made for Unraid, change encrypted volumes' unlock key. @doron ==
*** Testing provided key against disks... disk1 (/dev/md1p1) ... done.
Error: Key provided as current does not open any of the encrypted devices.
Now exiting.

 

2. and 3. with and without -n flag

 

My passphrase (part of):

root@Unraid-Srv01:/mnt/user/Downloads# echo -n "v3ZJLEPTfykmcXgRaZFZzhTjDpHkb7RA7RGnkNm*cCw!N!fuPceTjXD@_Rk3ugpRyCBZNfdz86bg-XrMniBgMFEHn_d@YhZG8@" > keyfile
-bash: !N!fuPceTjXD@_Rk3ugpRyCBZNfdz86bg: event not found

 

Your passphrase example: 

root@Unraid-Srv01:/mnt/user/Downloads# echo -n "123My!Pass!Phrase?" > keyfile
-bash: !Pass!Phrase?: event not found
root@Unraid-Srv01:/mnt/user/Downloads# echo "123My!Pass!Phrase?" > keyfile
-bash: !Pass!Phrase?: event not found

 

I tried the console in the browser-tab and the terminus ssh-client on my Mac-mini.

 

  • Author
41 minutes ago, skobix said:

2. and 3. with and without -n flag

 

My passphrase (part of):

root@Unraid-Srv01:/mnt/user/Downloads# echo -n "v3ZJLEPTfykmcXgRaZFZzhTjDpHkb7RA7RGnkNm*cCw!N!fuPceTjXD@_Rk3ugpRyCBZNfdz86bg-XrMniBgMFEHn_d@YhZG8@" > keyfile
-bash: !N!fuPceTjXD@_Rk3ugpRyCBZNfdz86bg: event not found

 

Your passphrase example: 

root@Unraid-Srv01:/mnt/user/Downloads# echo -n "123My!Pass!Phrase?" > keyfile
-bash: !Pass!Phrase?: event not found
root@Unraid-Srv01:/mnt/user/Downloads# echo "123My!Pass!Phrase?" > keyfile
-bash: !Pass!Phrase?: event not found

 

 

My apologies. Please use single quotes, not double quotes.

Using the single quotes worked and I could generate the keyfile, but I wasn't able to use the generated keyfile.

The same error occured:

 

root@Unraid-Srv01:/mnt/user/Downloads# unraid-newenckey /mnt/user/Downloads/keyfile - 

== unraid-newenckey v0.9, made for Unraid, change encrypted volumes' unlock key. @doron ==
*** Testing provided key against disks... disk1 (/dev/md1p1) ... done.
Error: Key provided as current does not open any of the encrypted devices.
Now exiting.

 

I'm so sorry .....

  • Author
51 minutes ago, skobix said:

I'm so sorry .....

Don't be. We need to track this down.

I presume you tried this both with and without the "-n" flag? If not, please do.

 

When you start the array, how exactly are you providing the passphrase? Are you copying it from a file? From the 1Password application? How exactly are you pasting it?

(I'm asking about when the passphrase is actually accepted and works for you.)

 

Another thing to try, meanwhile:

cryptsetup luksOpen --test-passphrase /dev/md1p1

cryptsetup luksOpen --test-passphrase /dev/md1p1

you will be prompted for your passphrase; try to provide it exactly the same way you provide it when you start the array.

 

36 minutes ago, doron said:
1 hour ago, skobix said:

I'm so sorry .....

Don't be. We need to track this down.

I presume you tried this both with and without the "-n" flag? If not, please do.

Yes, I tried both variants.

 

1Password creates and stores passwords. I simply click in the corresponding entry and the password is copied to the clipboard.

In the Unraid WebUI I press Strg+v to insert it in the passphrase-field and start the array.

 

In the same way I copied the passphrase for the tests here in this thread.

 

When I created the password, I did this in 1Password and saved it there. Only then I pasted it in Unraid for the encryption process.

 

Entering my passphrase via  

 

cryptsetup luksOpen --test-passphrase /dev/md1p1

 

results in

 

root@Unraid-Srv01:~# cryptsetup luksOpen --test-passphrase /dev/md1p1
Enter passphrase for /dev/md1p1: 
root@Unraid-Srv01:~# 

 

Entering a wrong passphrase results in

 

root@Unraid-Srv01:~# cryptsetup luksOpen --test-passphrase /dev/md1p1
Enter passphrase for /dev/md1p1: 
No key available with this passphrase.
Enter passphrase for /dev/md1p1: 

 

So the test seems to work ?

 

 

Edited by skobix

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.