LUKS disk encryption plugin

    • OMV 2.x
    • The filesystem is what is being checked not the LUKS container. So, you would have to add that to the default options for ext4 (or whatever filesystem you are using) in /etc/default/openmediavault.
      omv 4.1.19 arrakis | 64 bit | 4.15 proxmox kernel | omvextrasorg 4.1.15
      omv-extras.org plugins source code and issue tracker - github

      Please read this before posting a question and this and this for docker questions.
      Please don't PM for support... Too many PMs!
    • ryecoaaron wrote:

      The filesystem is what is being checked not the LUKS container. So, you would have to add that to the default options for ext4 (or whatever filesystem you are using) in /etc/default/openmediavault.
      I think you meant I should edit the concerned line in "/etc/openmediavault/config.xml" and not in "/etc/default/openmediavault" since I didn't find any useful setting in that file. Anyway it works with an edit in "/etc/openmediavault/config.xml". Thanks for pointing me to the right direction.
    • Nope, I meant /etc/default/openmediavault since you don't want to edit config.xml everytime. You need to add the option if it isn't in the default file.

      OMV_FSTAB_MNTOPS_EXT4="defaults,nofail,user_xattr,noexec,usrjquota=aquota.user,grpjquota=aquota.group,jqfmt=vfsv0"

      Unfortunately, that only is used for newly created filesystems. So, this is when you need to edit /etc/openmediavault/config.xml to edit existing filesystems. Then omv-mkconf fstab to create the fstab entry.
      omv 4.1.19 arrakis | 64 bit | 4.15 proxmox kernel | omvextrasorg 4.1.15
      omv-extras.org plugins source code and issue tracker - github

      Please read this before posting a question and this and this for docker questions.
      Please don't PM for support... Too many PMs!
    • Okay, I see. I've had a look at "http://wiki.openmediavault.org/index.php?title=Environment_Variables/all" for the environment variables but your var isn't stated there. Is there any more complete list of the vars, that I'm missing?
      So if I only have one encrypted drive I'll be good with the manual config in the config.xml file for that single entry I think.
    • @ryecoaaron

      Hi again. It's some time I'm using your plugin built for OMV3 on 2 different server and I'm very happy, thanks again.

      I've noticed a minor problem with the Key Test function: when I supply a correct password to unlock one of the 8 key slot, the plugin return the message:

      Successfully unlocked key slot [b]null[/b]



      In case I'd want to delete a key slot, this way I do not know which is the key slot I have to delete and which to save.

      Could you please help?

      Thanks again.

      Marco
    • marcolino wrote:

      Could you please help?
      Fixed this and a couple other bugs and cleaned up some code. 3.0.1 in repo now.
      omv 4.1.19 arrakis | 64 bit | 4.15 proxmox kernel | omvextrasorg 4.1.15
      omv-extras.org plugins source code and issue tracker - github

      Please read this before posting a question and this and this for docker questions.
      Please don't PM for support... Too many PMs!
    • trayntab wrote:

      when it's availeble in the stable repo?
      While I have it installed on my test VM, I don't use it for real data. So, unless people using it explicitly tell me that it is stable enough to put in the main repo, it stays in testing.
      omv 4.1.19 arrakis | 64 bit | 4.15 proxmox kernel | omvextrasorg 4.1.15
      omv-extras.org plugins source code and issue tracker - github

      Please read this before posting a question and this and this for docker questions.
      Please don't PM for support... Too many PMs!
    • Im having a different problem with the plugin I just installed. Once i click on Create, I cant select a volume to encrypt, it won`t give me any options and I can´t put the volume in by typing it manually. Does anyone now how to solve this issue? I´m on 3.0.69 (Erasmus) and already did a reinstall and several reboots but nothing is changing.
    • In case of theft I would like to secure my data so only the hardware is lost and they can't access my data (easily)
      Just want to make sure I am not doing something stupid:
      My hardware setup looks like this:
      HP Microserver Gen8 (16GB Ram)
      2x 256SSD (HW Raid 1)
      4x 3TB (HW Raid 5)
      ESXi (2VMs --> OpenMediaVault 2 & PlexMediaServer)
      Right now my OMV VM access the 8TB datastore (created using the HP raid utility) and provides several SMB shares for my plex server. To install and use the LUKS plugin
      I have to wipe the datastore, create a new encrypted device, format it and copy my data back to it. Is this correct?
    • Following that thread, I assume that I have to dump my Raid 5 (or the EXT4-partition on it) in order to create an encrypted volume?

      Encrypting an existing seems not possible, right?

      How about external drives, which I use for backup?

      Can I plug them in, enter password in WebUI an then the automated rsync-job (USB Backup Plugin) starts?
      Chaos is found in greatest abundance wherever order is being sought.
      It always defeats order, because it is better organized.
      Terry Pratchett
    • Can someone explain how the key file option works ? The browse button looks for a local file on the client machine, but it doesn't seem to upload anything to OMV. Should it rather use an OMV path for a USB drive or a remote mount ?

      Also, is any work being done on the auto-unlock feature ? Ideally, I would like it it to auto-unlock all drives by using a file key located on a remote mount share.
    • riff-raff wrote:

      Key File is the restore key for your encrypted drive. You have to store it seperately, e.g. USB Drive, Cloud, etc.
      Yes, but how is the input box supposed to work ? The Key File field is not editable and the Browse button opens a local fileselector on my PC and doesn't seem to upload anything to OMV. It just adds the path "C:\Fakepath\<filename>". How am I supposed to enter a path to a USB drive on OMV or a file in the cloud ?

      The post was edited 1 time, last by Nibb31 ().

    • riff-raff wrote:

      Encrypting an existing seems not possible, right?
      Correct. You have to create the luks device first and then put the filesystem on top of it.

      riff-raff wrote:


      How about external drives, which I use for backup?
      Can I plug them in, enter password in WebUI an then the automated rsync-job (USB Backup Plugin) starts?
      Doesn't really work for that scenario.

      Nibb31 wrote:

      Can someone explain how the key file option works ? The browse button looks for a local file on the client machine, but it doesn't seem to upload anything to OMV. Should it rather use an OMV path for a USB drive or a remote mount ?
      It does upload the file from the local machine. That is the only place the unlock file can exist. If it was on the OMV system, someone could unlock your luks devices if they stole or hacked the system.

      Nibb31 wrote:

      Also, is any work being done on the auto-unlock feature ?
      People are lucky that I ported it. That was a lot of work for something I don't use. Adding features is not on my todo list. Sorry. A script that mounts a network share and unlocks the luks devices shouldn't be too bad to create but would be difficult with the plugin.

      Nibb31 wrote:

      It just adds the path "C:\Fakepath\<filename>"
      It is still uploading from the path you specified.

      Nibb31 wrote:

      How am I supposed to enter a path to a USB drive on OMV or a file in the cloud ?
      From OMV? The key file would have to be shared via samba or something so you desktop could access it but I wouldn't store the key on the same box. Same thing with the cloud. Your desktop would have to be able to access the key as a local file.
      omv 4.1.19 arrakis | 64 bit | 4.15 proxmox kernel | omvextrasorg 4.1.15
      omv-extras.org plugins source code and issue tracker - github

      Please read this before posting a question and this and this for docker questions.
      Please don't PM for support... Too many PMs!
    • ryecoaaron wrote:

      It does upload the file from the local machine. That is the only place the unlock file can exist. If it was on the OMV system, someone could unlock your luks devices if they stole or hacked the system.

      Nibb31 wrote:

      Also, is any work being done on the auto-unlock feature ?
      People are lucky that I ported it. That was a lot of work for something I don't use. Adding features is not on my todo list. Sorry.
      And the effort is definitely appreciated. Let me take the occasion to thank you for all the support and dev work that you do on OMV.

      The reason I though it didn't upload was because clicking Add produces the following error:

      Source Code

      1. Error #0: exception 'OMV\Exception' with message 'Unable to add the key to the encrypted device: Failed to execute command 'export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin; export LANG=C; echo -n '<password>' | cryptsetup luksAddKey -q '/dev/vde' --key-file=-'/tmp/phpSgDBHV' 2>&1' with exit code '1': Failed to open key file.' in /usr/share/openmediavault/engined/rpc/luks.inc:530 Stack trace: #0 [internal function]: OMVRpcServiceLuksMgmt->addContainerKey(Array, Array) #1 /usr/share/php/openmediavault/rpc/serviceabstract.inc(124): call_user_func_array(Array, Array) #2 /usr/share/php/openmediavault/rpc/rpc.inc(86): OMV\Rpc\ServiceAbstract->callMethod('addContainerKey', Array, Array) #3 /usr/sbin/omv-engined(536): OMV\Rpc\Rpc::call('LuksMgmt', 'addContainerKey', Array, Array, 1) #4 {main}
      I'm trying to use the Add feature to add a key file to a drive that is encrypted with a pass phrase. Maybe that's not possible.