Securely auto-start 6.8+ Encrypted array using SFTP from your phone OR quick and dirty auto-start


Recommended Posts

So first off thanks to spaceinvader for the groundwork:

https://www.youtube.com/watch?v=TSlHEBR1yfY

 

I decided to take this idea a bit further as I wanted to use SFTP with public key encryption to keep everything encrypted and I prefer to use open source software whenever possible. This took way longer then I care to admit to get working properly even though the end result is fairly simple.

 

Also his video is an older version of unraid, the keyfile is no longer stored, so you have to create it yourself.

 

This could be setup on an sftp web server if you trust it enough. or use the android app below.

 

You will need to setup your phone to have a static IP address with your router for this to work. A static ip on your phone directly can work as well, but router is a better option.

 

Install primitive ftpd on android, it is free and open source, I prefer to download from f-droid store.

https://f-droid.org/en/packages/org.primftpd/

 

run primitive ftpd
Select plain old file system and pick a folder you want to use (depending on version of android, you might need to use another file system, test and see what works for you, you can enable a password / not enable keys and use filezilla to test the connection before moving onto unraid)

 

in settings:
Disable all unsecrured log in / protocals including only starting sftp server
Add username "unraid"
remove password
set sftp port to 2785
enable public key log in and make note of folder it wants the public key to be stored in

I would also add the allowed IP pattern. Simply enter the LAN ip address of the unraid server (can use a * for the last number if the IP changes or you want more then just the unraid server to accsess the phone). This will prevent anyone not on a LAN from accessing the sftp server.


Copy public key from unraid flash drive to temp share:

cp /boot/config/ssh/ssh_host_rsa_key.pub /path/to/share/here

Or just use file explorer to browse the flash drive if it is exported.

rename the public key "authorized_keys"

Copy to phone

place the file in ".ssh" folder on main storage (it tells you correct folder in the primitive ftpd app), create if needed


Command to create keyfile:

 

Quick and dirty Side note, if you just want to build your array with encryption now since it is a royal pain to change later, you can simply add the below command directly to the go file. It is not secure but will get you going and you can get more advanced later. It is still better then nothing, simply yank the unraid USB and power cord from the computer and everything is secure.

 

Personally I would recommend using an encrypted array if you think there is any chance you might wish you had it in the future, much much better to do it when first setting up unraid then trying to swap over later.

echo -n 'password_here' > keyfile

You will most likely need to change permissions to be able to copy it to your phone:

chmod ugo+rwx keyfile

Edit: This is technically an optional step but I would highly recommend it as it is far more secure and does not expose your actual array password in plain text.

 

1: Install p7zip from the nerdtools plugin (install nerdtools plugin if you have not already then search for p7zip)

2: Open terminal after the keyfile exists in root (of if doing this from the start, do this step just after creating the keyfile)

3: Run this command substituting a password of your choosing, do not use your array password as this password will be stored in plain text on the USB drive.

7z a -p'Password here no space between the p' -mx=9 -mhe -t7z key.7z keyfile

copy it to temp share like before

cp key.7z /path/to/share/here

Copy to ftp folder you setup on phone

 

This is the command to copy the keyfile to the server, be sure to update the IP address to yours:

sftp -v -P 2785 -o identityfile=/boot/config/ssh/ssh_host_rsa_key unraid@FTP_IP_Address_Here:key.7z /root/key.7z

Run this at least once directly on the server as it will ask you to confirm the connection and we need the file it creates

Type "yes" at the prompt to remember the connection otherwise it will not work at boot.

 

Now we need to copy the known_hosts file to the USB drive so it can be restored at boot

cp .ssh/known_hosts /boot/config/ssh/known_hosts 

Make sure the sftp command worked by typing "ls" (LS but lower case) at root@NAS:~#

 

Once you verified it is working, you just need to add it to the go file for unraid.

Use notepad++ and open the go file in flash/config, do not use normal notepad, it will cause issues

 

Paste in the below lines as new lines in the go file.

mkdir -v /root/.ssh
cp -v /boot/config/ssh/known_hosts /root/.ssh/known_hosts
sftp -v -P 2785 -o identityfile=/boot/config/ssh/ssh_host_rsa_key unraid@your_ftp_address_here:key.7z /root/key.7z 
7z x -p'unraidkeyfilepassword' /root/key.7z -o/root/

reboot and test it out.

 

You should be able to see the output from these commands as the last few lines on the console at boot before it lists the IP address

Edited by TexasUnraid
  • Like 2
  • Thanks 1
Link to comment
  • 1 month later...

Well, I was working on my phone and saw the keyfile sitting there for this in plain text and it annoyed me enough to fix it lol.

 

So here is a simple addition to the above that will keep the keyfile encrypted on the FTP server / phone preventing anyone from getting your password should they access the ftp server.

 

1: Install p7zip from the nerdtools plugin

2: Open terminal after the keyfile exists in root (of if doing this from the start, do this step just after creating the keyfile)

3: Run this command substituting a password of your choosing, do not use your array password as this password will be stored in plain text on the USB drive.

7z a -p'Password here no space between the p' -mx=9 -mhe -t7z key.7z keyfile

4: Add this command after the SFTP command in the go file

7z x -p'Password here no space between the p' /root/key.7z -o/root/

 

So someone would need both the FTP file and the go file from the USB in order to get your array password, not perfect but much better since the password used for the zip file is a throwaway that doesn't matter.

 

This could also be used with a proper keyfile (aka, a picture etc) as well if that is how you encrypted your array. Simply encrypt the keyfile and it will be protected from prying eyes.

 

I will insert these instructions into the above post.

Edited by TexasUnraid
Link to comment

I had been messing around with this a little bit trying to make it a more interactive function with push alerts and such.

 

The main problem with all of these ideas though is that they don't seem to account for unauthorized access, in extreme circumstances.  Let's say that the server gets stolen and someone starts it up.  Without the keyfile it's useless, ok that's fine.

 

But you don't know that the server is missing -- and your ftp is running -- and it's restarted and data is loaded.  That's not fine.

 

Let's say that the array started / stopping / stopped scripts (from another thread about this) are present and the array is stopped by a bad actor, the keyfile gets downloaded (or is still present) and the array can be restarted with data in tact.  That's not fine.

 

In either case as long as the keyfile is not already there simply having the ftp server turned off will prevent the ability to get the keyfile downloaded, as long as you remember to keep the ftp off.  That's ok.

 

Now let's say you're away on vacation and the server reboots for whatever reason and is now offline -- but you have a family member that needs access to the server, but your ftp server was turned off because you weren't expect it to reboot.. so now it's running at the array stopped - need keyfile to start array.

 

What to do?

 

Give up your passphrase to someone to type it in and start the array.... not a big deal most likely but not the first choice.

 

Try to talk them through opening a console prompt and running some commands to fetch the keyfile from your ftp server... good luck with that.

 

Let's say you're able to get the keyfile onto the system remotely, now you still have to start the array with the keyfile present.  Well that involves a restart of the gui.  It's not the cleanest solution per se but I don't think it would exactly break anything doing that.

 

Also, ftp on your phone doesn't work UNLESS you're on a router and can get an open port for access.  So if all you have is cell network access -- your server is not starting any time soon.  Will unraid's ftp server run without the array started?  That might be better to connect TO unraid rather than to your phone.

 

I was trying to implement a way of getting a notification if the server was restarted unexpectedly and then have the choice of transferring the keyfile and getting the array started.  I have push notifications going ok and the scripts for downloading the keyfile can include a command to restart the webui to load the keyfile ... so all in all it's dirty but it works.

 

I never really finished cleaning all this up and simplifying the process... so I guess I'm just thinking out loud in case there's any better ideas that anyone can come up with.

 

One person in another thread talked about connecting to the webui via vpn, and that seems to work well enough and might even be easier even if not as automated. 

 

Ok I've spewed enough about this... ideas, thoughts, comments?

Link to comment

You have some good points, the end result with any kind of security is how much hassle you are willing to put up with.

 

The more hassle and effort you are willing to put up with on a regular basis, the more secure it will be and vice versa.

 

The trick is finding the right balance for your situation.

 

Automatically entering the password/keyfile is going to be insecure no matter what you do, you can only reduce the risks. The best security is to manually enter an 80 character long password everytime you start the server while covering the keyboard and watching over your shoulder. Personally I find that outside my hassle threshold lol.

 

The setup Spaceinveader / I came up with is a pretty good balance IMHO but it does make some assumptions.

 

1: That you have a local wifi network

2: That you, or someone you trust / family member will be present anytime the server needs to boot

3: That you are not being actively targeted by someone trying to get your data.

 

Given these parameters I feel that the setup I am using is about the best tradeoff I can do.

 

Someone attacking remotely would get nothing from my phone as it is now encrypted. They would have to break into unraid to get the keyfile or password for the archive, so I am already screwed if they get that far.

 

A local attack is also outside most capability's with the encrypted keyfile I am using now. They would have to really know what they are doing to get the password from the go file, hack into the sftp server, get the keyfile and then get into unraid. Possible if you are not there to stop it but once again you would have to be targeted and at that point you are screwed regardless pretty much. Your basic smash and grab would end up with no usable data.

 

Someone stealing the server would put them out of luck if you use a phone / LAN based FTP option. Since remotely they would not have access to the FTP server and if they try to do it while you are home, well I am going to guess you would notice lol.

 

 

Basically the only real weakness is someone that is targeting you, knows exactly how you have everything setup and somehow manages to keep it powered on after stealing it and letting it download the keyfile from your phone all while you are somehow not aware?

 

Not perfect of course, everything can be hacked but good enough to stop 95% of potential attackers. If you have someone capable of getting around all of that, then I think you are screwed no matter what TBH. The best security is to not have anything of value, my data is worthless to anyone but myself but I still don't want all our family pictures falling into someone else's hands lol.

 

In this case the encryption in my case is more about future proofing, it is a pain to encrypt later. Also if I needed to RMA a drive for example I don't have to wipe it first. Also peace of mind if it was stolen to basically know the data is safe etc.

Edited by TexasUnraid
Link to comment

Now all of that aside, back to your specific questions.

 

1: You can setup a wifi network in your house without any internet, pretty sure most phones will connect to it but use data for internet connection. Or better yet, use a LAN based device to host the FTP server. There are a lot of android media boxes out there for cheap that should be able to do it, simply plug it in as a P2P network if needed. Although wifi is better if the device will be left home when you are not there since that allows you to hide it.

 

Old routers can be had for like $10.

 

2: If for some reason the server would need to be started when you are not home you can either use the LAN option above or have a secondary phone in the house that also has the FTP server. If you were going out of town, turn the phone off and hide it somewhere.

 

Should the need arise that someone else needs to reboot the server, simply tell them where the phone is and have them turn it on. Then they can reboot the server and it should work. You could even setup a script on the phone to SSH into the server and reboot it with the press of a button. This is the simplest option IMO.

 

You can easily set the server to check multiple FTP servers for the file, so that it will work with anyone's phone that is home for example.

 

3: Like I mentioned above with the encrypted keyfile I am using now, it becomes quite difficult for someone to get the keyfile as they would have to compromise both the ftp server and the unraid server.

 

4: A VPN to allow you to log into the server directly is the best option if you see this need coming about regularly or have other needs that could make a VPN worth it. A router with VPN capabilities would seem to solve a lot of your issues lol. I have PFsense setup on an old laptop someone gave me. It makes for a fantastic router with more features and power then I need and it has a builtin battery backup.

 

Only things I did hardware wise was buy a $8 PCexpress gigabit card and rig up a 120mm fan to blow threw the cooling vents so the internal fan does not need to turn on and it keeps it cooler.

Edited by TexasUnraid
Link to comment
  • 2 months later...
  • 10 months later...

Make sure that the known hosts file is there, it seems to be missing. Possible a step was missed before this one.

 

The SFTP command before this succeeded properly correct? You said to trust the source etc?

 

Another thing is that the latest version of unraid allows you to put these files on the USB drive and it will automatically install them during a boot IIRC. It is also possible that this change has changed the folder layout for these items although I never updated mine and it still works.

Edited by TexasUnraid
Link to comment

for this command I needed to run the new permissions under tools to be able to rename/copy the file to the phone

cp /boot/config/ssh/ssh_host_rsa_key.pub /mnt/user/download

 

all said and done something I get this error when unraid boots

 

ERROR: no more files

/root/key.7z

 

System ERROR:

Unknown error -2147024872

 

then it shows me the unraid server's ip address.

 

does this need to be changed some how?

 

mkdir -v /root/.ssh

cp -v /boot/config/ssh/known_hosts /root/.ssh/known_hosts

sftp -v -P 2785 -o identityfile=/boot/config/ssh/ssh_host_rsa_key unraid@your_ftp_address_here:keyfile /root/keyfile

7z x -p'unraidkeyfilepassword' /root/key.7z -o/root/

 

also is there a log of the startup so I can check for other errors?

 

I am on a fresh install of unraid 6.9.2

 

running this command sftp -v -P 2785 -o identityfile=/boot/config/ssh/ssh_host_rsa_key unraid@your_ftp_address_here:keyfile /root/keyfile

gave me this error,

this folder has the key.7z in it not keyfile, do i need to change keyfile to key.7z?

image.png.9f50f7e06bbf5f472951d4f6230507fa.png

Edited by schuu
Link to comment

I had to change keyfile to key.7z

 

sftp -v -P 2785 -o identityfile=/boot/config/ssh/ssh_host_rsa_key unraid@your_ftp_address_here:key.7z /root/key.7z

 

and under settings / disk settings / I changed enable auto start to yes,

 

with the sftp turned off the array does not start but when I turn it on it does

 

everything is working as intended now,

 

however it would be nice if I could remove keyfile and key.7z after the array has started. Because is it now just sitting there on the usb? 

do you have any ideas for that?

 

thanks

 

Edited by schuu
Link to comment

Odd, when you compressed the keyfile it should have made it a key.7z file automatically. Are you sure you compressed it with 7z in a prior step?

 

The keyfile is not on the USB, it is stored in ram. It is lost if the system is powered down or rebooted already.

 

You could create a script in user scripts that will delete the files on array start pretty easily though if it bothers you.

Link to comment
5 minutes ago, TexasUnraid said:

Odd, when you compressed the keyfile it should have made it a key.7z file automatically. Are you sure you compressed it with 7z in a prior step?

 

The keyfile is not on the USB, it is stored in ram. It is lost if the system is powered down or rebooted already.

 

You could create a script in user scripts that will delete the files on array start pretty easily though if it bothers you.

 

it did make compress the keyfile to key.7z properly and the files are in the correct places,

 

the command you put in to the go file is wrong

you had

sftp -v -P 2785 -o identityfile=/boot/config/ssh/ssh_host_rsa_key unraid@your_ftp_address_here:keyfile /root/keyfile

but it should be

sftp -v -P 2785 -o identityfile=/boot/config/ssh/ssh_host_rsa_key unraid@your_ftp_address_here:key.7z /root/key.7z

 

is this on memory? image.png.f9a716172cec94156fba094be754eb1a.png

I just checked the usb you are correct the files are not on there,

I think I would prefer them deleted when the array starts, but i'll have to learn how to do that,

 

 

Link to comment
  • 11 months later...

If this solution is not working for you anymore when you did an update of unraid OS then open

/root/.ssh/known_hosts

and remove the old host entry to your sftp server there

 

After that, start over with these two commands from the description above.

Then it should work again.

On 6/7/2020 at 7:02 PM, TexasUnraid said:

This is the command to copy the keyfile to the server, be sure to update the IP address to yours:

sftp -v -P 2785 -o identityfile=/boot/config/ssh/ssh_host_rsa_key unraid@FTP_IP_Address_Here:key.7z /root/key.7z

Run this at least once directly on the server as it will ask you to confirm the connection and we need the file it creates

Type "yes" at the prompt to remember the connection otherwise it will not work at boot.

 

Now we need to copy the known_hosts file to the USB drive so it can be restored at boot

cp .ssh/known_hosts /boot/config/ssh/known_hosts 
Link to comment
  • 4 months later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.