LUKS disk encryption plugin

    • Offizieller Beitrag

    I'm trying to use the Add feature to add a key file to a drive that is encrypted with a pass phrase. Maybe that's not possible.

    It is possible but that is a bug in the plugin. I was able to create a container with a key file then add a key slot using a passphrase. The current code doesn't like how we pass the passphrase to LUKS to add a key file. I guess the best thing to do for now is create containers with a key file and always use a key file to add/remove keys. You can add a passphrase if you need one.

    omv 7.0-32 sandworm | 64 bit | 6.5 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.9 | compose 7.0.9 | cputemp 7.0 | mergerfs 7.0.3


    omv-extras.org plugins source code and issue tracker - github


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

  • Is it possible to shrink my EXT4-partition on my raid, create the encrypted volume, copy data from non-encrypted to encrypted and delete old and grow the encrypted afterwards? I think of Gparted.

    Chaos is found in greatest abundance wherever order is being sought.
    It always defeats order, because it is better organized.
    Terry Pratchett

    • Offizieller Beitrag

    Is it possible to shrink my EXT4-partition on my raid, create the encrypted volume, copy data from non-encrypted to encrypted and delete old and grow the encrypted afterwards?

    I don't think the plugin would let you select the physical device because there is a partition on it. Don't you have a backup of your raid array?

    omv 7.0-32 sandworm | 64 bit | 6.5 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.9 | compose 7.0.9 | cputemp 7.0 | mergerfs 7.0.3


    omv-extras.org plugins source code and issue tracker - github


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

  • I have several backups in rotational organisation of all essential data, like documents, pictures, ebooks and so on.


    I digitalized my movies, which exceed my backup capabilities by far. So I could kick the Raid, restore the backup, but I would have to digitalize my movies again. I don't want to do that, I takes sooo much time.


    I'll try this shrink and edit in a VM today. If it works I'll give it a try on my raid.

    Chaos is found in greatest abundance wherever order is being sought.
    It always defeats order, because it is better organized.
    Terry Pratchett

    • Offizieller Beitrag

    I'll try this shrink and edit in a VM today. If it works I'll give it a try on my raid.

    If you created the raid array with OMV, there is no partition to shrink. That will be a problem.

    omv 7.0-32 sandworm | 64 bit | 6.5 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.9 | compose 7.0.9 | cputemp 7.0 | mergerfs 7.0.3


    omv-extras.org plugins source code and issue tracker - github


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

  • okay, try and error:


    there is an partition which I can shrink, but I I can't create a volume on that allocated space with Luks Plugin.


    Same for OMV GUI: I can't create a new partition there

    Chaos is found in greatest abundance wherever order is being sought.
    It always defeats order, because it is better organized.
    Terry Pratchett

    • Offizieller Beitrag

    Create another partition (but don't format) with fdisk and maybe the luks plugin will be able to use it.

    omv 7.0-32 sandworm | 64 bit | 6.5 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.9 | compose 7.0.9 | cputemp 7.0 | mergerfs 7.0.3


    omv-extras.org plugins source code and issue tracker - github


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

  • With Gparted, I can't create another primary partition and no extended partition as well.


    There are no "partitions" on the raid device .... like you said before. (there is no valid partition table)



    I guess I need to buy a 8 or 10 TB external. Well, good to have for future backups

    Chaos is found in greatest abundance wherever order is being sought.
    It always defeats order, because it is better organized.
    Terry Pratchett

    2 Mal editiert, zuletzt von riff-raff ()

  • I am using this plugin along with the plex media server plugin. Due the fact the volume is not decrypted automatically on startup the plex media server crashes.
    Is there a way to stop the plex service until the volume is decrypted? Would be a nice to have feature for the plugin gui :)
    Until then, is there a way to implement a script to realise this?

    • Offizieller Beitrag

    Try apt-get -f install

    omv 7.0-32 sandworm | 64 bit | 6.5 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.9 | compose 7.0.9 | cputemp 7.0 | mergerfs 7.0.3


    omv-extras.org plugins source code and issue tracker - github


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

  • Hi folks,
    Installed OMV 3.0.84 on a test system. Added the plugin and trying to create a new encrypted partition. I'm getting a failure, with the following details.


    Apparently the plugin issues a "partprobe" against the device on which LUKS layer is being created, assuming it's a full block device. This clearly fails when the target is a partition...
    Is there any way around it?


    Thanks!


    [EDIT]
    1. I just noticed that this thread has an "OMV 2.0" label on it, so perhaps my question is somewhat out of scope?
    2. I also noticed that trying to ADD a key which is a key file, fails cuz cryptsetup can't open the file (/tmp/php****...). I did manage to ADD a passphrase key and then CHANGE it into a key file :)
    [/EDIT]


    Error #0:exception 'OMV\Exception' with message 'export LANG=C; partprobe '/dev/md127p3'' in /usr/share/openmediavault/engined/rpc/luks.inc:387
    Stack trace:
    #0 [internal function]: OMVRpcServiceLuksMgmt->createContainer(Array, Array)
    #1 /usr/share/php/openmediavault/rpc/serviceabstract.inc(124): call_user_func_array(Array, Array)
    #2 /usr/share/php/openmediavault/rpc/rpc.inc(86): OMV\Rpc\ServiceAbstract->callMethod('createContainer', Array, Array)
    #3 /usr/sbin/omv-engined(536): OMV\Rpc\Rpc::call('LuksMgmt', 'createContainer', Array, Array, 1)
    #4 {main}

    • Offizieller Beitrag

    Apparently the plugin issues a "partprobe" against the device on which LUKS layer is being created, assuming it's a full block device. This clearly fails when the target is a partition...
    Is there any way around it?

    You can always create the luks device manually. What type of "full block" device is it?


    I just noticed that this thread has an "OMV 2.0" label on it, so perhaps my question is somewhat out of scope?

    No. The plugin has been ported to OMV 3.x. The thread has just been around a long time.


    I also noticed that trying to ADD a key which is a key file, fails cuz cryptsetup can't open the file (/tmp/php****...). I did manage to ADD a passphrase key and then CHANGE it into a key file

    There is a bug in the plugin where you can't add a key file if you used a passphrase to create it. If you use the key file first and then add a passphrase -or- all passphrases -or- all key files, it works fine. Not real high on my priority list to fix.

    omv 7.0-32 sandworm | 64 bit | 6.5 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.9 | compose 7.0.9 | cputemp 7.0 | mergerfs 7.0.3


    omv-extras.org plugins source code and issue tracker - github


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

  • You can always create the luks device manually. What type of "full block" device is it?

    It's one partition off of a RAID 5 array. And yes, that is what I did (create it manually).



    There is a bug in the plugin where you can't add a key file if you used a passphrase to create it. If you use the key file first and then add a passphrase -or- all passphrases -or- all key files, it works fine. Not real high on my priority list to fix.

    That would definitely explain it :)


    BTW, I seem to recall that at some point we've discussed auto-open (unlock). E.g. specify a file path for a key file, which, if found, will auto-unlock and auto-mount the LUKS device. Is this on your list?


    Thanks!

    • Offizieller Beitrag

    BTW, I seem to recall that at some point we've discussed auto-open (unlock). E.g. specify a file path for a key file, which, if found, will auto-unlock and auto-mount the LUKS device. Is this on your list?

    It was but after some testing, I couldn't find a reliable way to do it with the key file being stored anywhere other than the OS drive (pretty much pointless). Since most people would probably want the key on a USB stick, I dropped the plan.

    omv 7.0-32 sandworm | 64 bit | 6.5 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.9 | compose 7.0.9 | cputemp 7.0 | mergerfs 7.0.3


    omv-extras.org plugins source code and issue tracker - github


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

  • It was but after some testing, I couldn't find a reliable way to do it with the key file being stored anywhere other than the OS drive (pretty much pointless). Since most people would probably want the key on a USB stick, I dropped the plan.


    Umm, understood. Two comments still:

    • To reliably work with an external storage device, wouldn't something like /dev/disk/by-uuid come handy?
    • Agree with your main point - if the only key file location you can deliver is the OS drive, the feature would not be very interesting. That being said, even placing the key on the OS disk, which may seem pointless, might have some merit for some attack scenarios. For example, if all one cares about is that when they get rid of a drive (e.g. they replace a faulty one). data does not get exposed.
    • Offizieller Beitrag

    To reliably work with an external storage device, wouldn't something like /dev/disk/by-uuid come handy?

    You can't guarantee the external storage device would be mounted in time to get the unlock file.


    Agree with your main point - if the only key file location you can deliver is the OS drive, the feature would not be very interesting. That being said, even placing the key on the OS disk, which may seem pointless, might have some merit for some attack scenarios. For example, if all one cares about is that when they get rid of a drive (e.g. they replace a faulty one). data does not get exposed.

    It would be impossbile to allow the plugin to specify a location that is only on the root drive.

    omv 7.0-32 sandworm | 64 bit | 6.5 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.9 | compose 7.0.9 | cputemp 7.0 | mergerfs 7.0.3


    omv-extras.org plugins source code and issue tracker - github


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

  • You can't guarantee the external storage device would be mounted in time to get the unlock file.

    That depends on what you define as "in time". If the basic assumption is that we must mount early in the boot process, then indeed the key file won't be ready on time. However, if we instead assume that we "wait" for the file spec to become available, and once it is - we luksOpen and mount, this opens a new set of possibilities.


    We can then even automount the external filesystem with the key over some directory, and wait for the designated key file to "appear". Until it does, - the encrypted file system is not available.


    Makes sense?

    • Offizieller Beitrag

    Makes sense?

    Sounds great but how do you do that? The same system that mounts the filesystem with the key file in it (fstab) is going to try and mount the filesystem inside the LUKS container. This will fail since the container is not unlocked. You are supposed to be able to add disks containing key files in /etc/default/cryptdisks so they are mounted before the container is unlocked but I didn't have much luck with that.

    omv 7.0-32 sandworm | 64 bit | 6.5 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.9 | compose 7.0.9 | cputemp 7.0 | mergerfs 7.0.3


    omv-extras.org plugins source code and issue tracker - github


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!