A couple of questions re: keyfiles/passphrases


rragu

Recommended Posts

My standard disclaimer: I only know enough to break things that I don't know how to fix...

 

Question 1:

I've written my go file such that at boot, I get my array passphrase via AWS Secrets Manager and write it to /root/keyfile. unRAID then uses /root/keyfile to unlock/startup my array. I've been manually deleting my keyfile after startup.

 

Can I just add the following to the go file to automatically delete the keyfile 5 minutes after startup:

sleep 300s
shred /root/keyfile

Or should I just write a user script with the above commands via the User Scripts plugin to be executed after Array start?

 

Question 2:

From what I've managed to glean from the forums, in unRAID 6.8+, passphrases seem to be more secure than keyfiles as passphrases are not written to a visible-to-user file (even ones that only exist in RAM). The aws-cli command I use for the procedure above retrieves a string, not a file. So, is it possible to use the output of this command as the passphrase rather than writing it to a file first?

 

Thanks!

Edited by rragu
changed rm to shred
Link to comment
  • 2 weeks later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.