LUKS disk encryption plugin

    • Offizieller Beitrag

    The filesystem is what is being checked not the LUKS container. So, you would have to add that to the default options for ext4 (or whatever filesystem you are using) in /etc/default/openmediavault.

    omv 7.0-32 sandworm | 64 bit | 6.5 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.9 | compose 7.0.9 | cputemp 7.0 | mergerfs 7.0.3


    omv-extras.org plugins source code and issue tracker - github


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

  • The filesystem is what is being checked not the LUKS container. So, you would have to add that to the default options for ext4 (or whatever filesystem you are using) in /etc/default/openmediavault.

    I think you meant I should edit the concerned line in "/etc/openmediavault/config.xml" and not in "/etc/default/openmediavault" since I didn't find any useful setting in that file. Anyway it works with an edit in "/etc/openmediavault/config.xml". Thanks for pointing me to the right direction.

    • Offizieller Beitrag

    Nope, I meant /etc/default/openmediavault since you don't want to edit config.xml everytime. You need to add the option if it isn't in the default file.


    OMV_FSTAB_MNTOPS_EXT4="defaults,nofail,user_xattr,noexec,usrjquota=aquota.user,grpjquota=aquota.group,jqfmt=vfsv0"


    Unfortunately, that only is used for newly created filesystems. So, this is when you need to edit /etc/openmediavault/config.xml to edit existing filesystems. Then omv-mkconf fstab to create the fstab entry.

    omv 7.0-32 sandworm | 64 bit | 6.5 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.9 | compose 7.0.9 | cputemp 7.0 | mergerfs 7.0.3


    omv-extras.org plugins source code and issue tracker - github


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

  • Okay, I see. I've had a look at "http://wiki.openmediavault.org/index.php?title=Environment_Variables/all" for the environment variables but your var isn't stated there. Is there any more complete list of the vars, that I'm missing?
    So if I only have one encrypted drive I'll be good with the manual config in the config.xml file for that single entry I think.

  • @ryecoaaron


    Hi again. It's some time I'm using your plugin built for OMV3 on 2 different server and I'm very happy, thanks again.


    I've noticed a minor problem with the Key Test function: when I supply a correct password to unlock one of the 8 key slot, the plugin return the message:


    Successfully unlocked key slot [b]null[/b]



    In case I'd want to delete a key slot, this way I do not know which is the key slot I have to delete and which to save.


    Could you please help?


    Thanks again.


    Marco

    • Offizieller Beitrag

    Could you please help?

    Fixed this and a couple other bugs and cleaned up some code. 3.0.1 in repo now.

    omv 7.0-32 sandworm | 64 bit | 6.5 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.9 | compose 7.0.9 | cputemp 7.0 | mergerfs 7.0.3


    omv-extras.org plugins source code and issue tracker - github


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

    • Offizieller Beitrag

    when it's availeble in the stable repo?

    While I have it installed on my test VM, I don't use it for real data. So, unless people using it explicitly tell me that it is stable enough to put in the main repo, it stays in testing.

    omv 7.0-32 sandworm | 64 bit | 6.5 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.9 | compose 7.0.9 | cputemp 7.0 | mergerfs 7.0.3


    omv-extras.org plugins source code and issue tracker - github


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

  • Im having a different problem with the plugin I just installed. Once i click on Create, I cant select a volume to encrypt, it won`t give me any options and I can´t put the volume in by typing it manually. Does anyone now how to solve this issue? I´m on 3.0.69 (Erasmus) and already did a reinstall and several reboots but nothing is changing.

    • Offizieller Beitrag

    You need a blank (wiped) disk to create the container on.

    omv 7.0-32 sandworm | 64 bit | 6.5 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.9 | compose 7.0.9 | cputemp 7.0 | mergerfs 7.0.3


    omv-extras.org plugins source code and issue tracker - github


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

  • In case of theft I would like to secure my data so only the hardware is lost and they can't access my data (easily)
    Just want to make sure I am not doing something stupid:
    My hardware setup looks like this:
    HP Microserver Gen8 (16GB Ram)
    2x 256SSD (HW Raid 1)
    4x 3TB (HW Raid 5)
    ESXi (2VMs --> OpenMediaVault 2 & PlexMediaServer)
    Right now my OMV VM access the 8TB datastore (created using the HP raid utility) and provides several SMB shares for my plex server. To install and use the LUKS plugin
    I have to wipe the datastore, create a new encrypted device, format it and copy my data back to it. Is this correct?

  • Following that thread, I assume that I have to dump my Raid 5 (or the EXT4-partition on it) in order to create an encrypted volume?


    Encrypting an existing seems not possible, right?


    How about external drives, which I use for backup?


    Can I plug them in, enter password in WebUI an then the automated rsync-job (USB Backup Plugin) starts?

    Chaos is found in greatest abundance wherever order is being sought.
    It always defeats order, because it is better organized.
    Terry Pratchett

  • Can someone explain how the key file option works ? The browse button looks for a local file on the client machine, but it doesn't seem to upload anything to OMV. Should it rather use an OMV path for a USB drive or a remote mount ?


    Also, is any work being done on the auto-unlock feature ? Ideally, I would like it it to auto-unlock all drives by using a file key located on a remote mount share.

  • Key File is the restore key for your encrypted drive. You have to store it seperately, e.g. USB Drive, Cloud, etc.

    Chaos is found in greatest abundance wherever order is being sought.
    It always defeats order, because it is better organized.
    Terry Pratchett

  • Key File is the restore key for your encrypted drive. You have to store it seperately, e.g. USB Drive, Cloud, etc.

    Yes, but how is the input box supposed to work ? The Key File field is not editable and the Browse button opens a local fileselector on my PC and doesn't seem to upload anything to OMV. It just adds the path "C:\Fakepath\<filename>". How am I supposed to enter a path to a USB drive on OMV or a file in the cloud ?

    • Offizieller Beitrag

    Encrypting an existing seems not possible, right?

    Correct. You have to create the luks device first and then put the filesystem on top of it.



    How about external drives, which I use for backup?
    Can I plug them in, enter password in WebUI an then the automated rsync-job (USB Backup Plugin) starts?

    Doesn't really work for that scenario.


    Can someone explain how the key file option works ? The browse button looks for a local file on the client machine, but it doesn't seem to upload anything to OMV. Should it rather use an OMV path for a USB drive or a remote mount ?

    It does upload the file from the local machine. That is the only place the unlock file can exist. If it was on the OMV system, someone could unlock your luks devices if they stole or hacked the system.


    Also, is any work being done on the auto-unlock feature ?

    People are lucky that I ported it. That was a lot of work for something I don't use. Adding features is not on my todo list. Sorry. A script that mounts a network share and unlocks the luks devices shouldn't be too bad to create but would be difficult with the plugin.


    It just adds the path "C:\Fakepath\<filename>"

    It is still uploading from the path you specified.


    How am I supposed to enter a path to a USB drive on OMV or a file in the cloud ?

    From OMV? The key file would have to be shared via samba or something so you desktop could access it but I wouldn't store the key on the same box. Same thing with the cloud. Your desktop would have to be able to access the key as a local file.

    omv 7.0-32 sandworm | 64 bit | 6.5 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.9 | compose 7.0.9 | cputemp 7.0 | mergerfs 7.0.3


    omv-extras.org plugins source code and issue tracker - github


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

  • It does upload the file from the local machine. That is the only place the unlock file can exist. If it was on the OMV system, someone could unlock your luks devices if they stole or hacked the system.


    People are lucky that I ported it. That was a lot of work for something I don't use. Adding features is not on my todo list. Sorry.

    And the effort is definitely appreciated. Let me take the occasion to thank you for all the support and dev work that you do on OMV.


    The reason I though it didn't upload was because clicking Add produces the following error:


    Code
    Error #0: exception 'OMV\Exception' with message 'Unable to add the key to the encrypted device: Failed to execute command 'export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin; export LANG=C; echo -n '<password>' | cryptsetup luksAddKey -q '/dev/vde' --key-file=-'/tmp/phpSgDBHV' 2>&1' with exit code '1': Failed to open key file.' in /usr/share/openmediavault/engined/rpc/luks.inc:530 Stack trace: #0 [internal function]: OMVRpcServiceLuksMgmt->addContainerKey(Array, Array) #1 /usr/share/php/openmediavault/rpc/serviceabstract.inc(124): call_user_func_array(Array, Array) #2 /usr/share/php/openmediavault/rpc/rpc.inc(86): OMV\Rpc\ServiceAbstract->callMethod('addContainerKey', Array, Array) #3 /usr/sbin/omv-engined(536): OMV\Rpc\Rpc::call('LuksMgmt', 'addContainerKey', Array, Array, 1) #4 {main}

    I'm trying to use the Add feature to add a key file to a drive that is encrypted with a pass phrase. Maybe that's not possible.

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!