LUKS disk encryption plugin

    • OMV 2.x
    • Nibb31 wrote:

      I'm trying to use the Add feature to add a key file to a drive that is encrypted with a pass phrase. Maybe that's not possible.
      It is possible but that is a bug in the plugin. I was able to create a container with a key file then add a key slot using a passphrase. The current code doesn't like how we pass the passphrase to LUKS to add a key file. I guess the best thing to do for now is create containers with a key file and always use a key file to add/remove keys. You can add a passphrase if you need one.
      omv 4.1.19 arrakis | 64 bit | 4.15 proxmox kernel | omvextrasorg 4.1.15
      omv-extras.org plugins source code and issue tracker - github

      Please read this before posting a question and this and this for docker questions.
      Please don't PM for support... Too many PMs!
    • Is it possible to shrink my EXT4-partition on my raid, create the encrypted volume, copy data from non-encrypted to encrypted and delete old and grow the encrypted afterwards? I think of Gparted.
      Chaos is found in greatest abundance wherever order is being sought.
      It always defeats order, because it is better organized.
      Terry Pratchett
    • riff-raff wrote:

      Is it possible to shrink my EXT4-partition on my raid, create the encrypted volume, copy data from non-encrypted to encrypted and delete old and grow the encrypted afterwards?
      I don't think the plugin would let you select the physical device because there is a partition on it. Don't you have a backup of your raid array?
      omv 4.1.19 arrakis | 64 bit | 4.15 proxmox kernel | omvextrasorg 4.1.15
      omv-extras.org plugins source code and issue tracker - github

      Please read this before posting a question and this and this for docker questions.
      Please don't PM for support... Too many PMs!
    • I have several backups in rotational organisation of all essential data, like documents, pictures, ebooks and so on.

      I digitalized my movies, which exceed my backup capabilities by far. So I could kick the Raid, restore the backup, but I would have to digitalize my movies again. I don't want to do that, I takes sooo much time.

      I'll try this shrink and edit in a VM today. If it works I'll give it a try on my raid.
      Chaos is found in greatest abundance wherever order is being sought.
      It always defeats order, because it is better organized.
      Terry Pratchett
    • riff-raff wrote:

      I'll try this shrink and edit in a VM today. If it works I'll give it a try on my raid.
      If you created the raid array with OMV, there is no partition to shrink. That will be a problem.
      omv 4.1.19 arrakis | 64 bit | 4.15 proxmox kernel | omvextrasorg 4.1.15
      omv-extras.org plugins source code and issue tracker - github

      Please read this before posting a question and this and this for docker questions.
      Please don't PM for support... Too many PMs!
    • Create another partition (but don't format) with fdisk and maybe the luks plugin will be able to use it.
      omv 4.1.19 arrakis | 64 bit | 4.15 proxmox kernel | omvextrasorg 4.1.15
      omv-extras.org plugins source code and issue tracker - github

      Please read this before posting a question and this and this for docker questions.
      Please don't PM for support... Too many PMs!
    • With Gparted, I can't create another primary partition and no extended partition as well.

      There are no "partitions" on the raid device .... like you said before. (there is no valid partition table)


      I guess I need to buy a 8 or 10 TB external. Well, good to have for future backups
      Chaos is found in greatest abundance wherever order is being sought.
      It always defeats order, because it is better organized.
      Terry Pratchett

      The post was edited 2 times, last by riff-raff ().

    • I am using this plugin along with the plex media server plugin. Due the fact the volume is not decrypted automatically on startup the plex media server crashes.
      Is there a way to stop the plex service until the volume is decrypted? Would be a nice to have feature for the plugin gui :)
      Until then, is there a way to implement a script to realise this?
    • Hi
      I want to install this plugin in my openmediavault 3.0.63
      in the plug-in there is:

      I clik to install and in the windows of the log.. I view **** Error ****

      and after my openmediavault dont work
      Images
      • Schermata 2017-05-07 alle 7 mag, 02.09.21.png

        32.46 kB, 777×154, viewed 210 times
      • Schermata 2017-05-07 alle 7 mag, 02.16.40.png

        249.25 kB, 1,680×1,050, viewed 272 times
    • Hi folks,
      Installed OMV 3.0.84 on a test system. Added the plugin and trying to create a new encrypted partition. I'm getting a failure, with the following details.

      Apparently the plugin issues a "partprobe" against the device on which LUKS layer is being created, assuming it's a full block device. This clearly fails when the target is a partition...
      Is there any way around it?

      Thanks!

      [EDIT]
      1. I just noticed that this thread has an "OMV 2.0" label on it, so perhaps my question is somewhat out of scope?
      2. I also noticed that trying to ADD a key which is a key file, fails cuz cryptsetup can't open the file (/tmp/php****...). I did manage to ADD a passphrase key and then CHANGE it into a key file :)
      [/EDIT]

      Error #0:exception 'OMV\Exception' with message 'export LANG=C; partprobe '/dev/md127p3'' in /usr/share/openmediavault/engined/rpc/luks.inc:387
      Stack trace:
      #0 [internal function]: OMVRpcServiceLuksMgmt->createContainer(Array, Array)
      #1 /usr/share/php/openmediavault/rpc/serviceabstract.inc(124): call_user_func_array(Array, Array)
      #2 /usr/share/php/openmediavault/rpc/rpc.inc(86): OMV\Rpc\ServiceAbstract->callMethod('createContainer', Array, Array)
      #3 /usr/sbin/omv-engined(536): OMV\Rpc\Rpc::call('LuksMgmt', 'createContainer', Array, Array, 1)
      #4 {main}

      The post was edited 1 time, last by doron ().

    • doron wrote:

      Apparently the plugin issues a "partprobe" against the device on which LUKS layer is being created, assuming it's a full block device. This clearly fails when the target is a partition...
      Is there any way around it?
      You can always create the luks device manually. What type of "full block" device is it?

      doron wrote:

      I just noticed that this thread has an "OMV 2.0" label on it, so perhaps my question is somewhat out of scope?
      No. The plugin has been ported to OMV 3.x. The thread has just been around a long time.

      doron wrote:

      I also noticed that trying to ADD a key which is a key file, fails cuz cryptsetup can't open the file (/tmp/php****...). I did manage to ADD a passphrase key and then CHANGE it into a key file
      There is a bug in the plugin where you can't add a key file if you used a passphrase to create it. If you use the key file first and then add a passphrase -or- all passphrases -or- all key files, it works fine. Not real high on my priority list to fix.
      omv 4.1.19 arrakis | 64 bit | 4.15 proxmox kernel | omvextrasorg 4.1.15
      omv-extras.org plugins source code and issue tracker - github

      Please read this before posting a question and this and this for docker questions.
      Please don't PM for support... Too many PMs!
    • ryecoaaron wrote:

      You can always create the luks device manually. What type of "full block" device is it?
      It's one partition off of a RAID 5 array. And yes, that is what I did (create it manually).


      ryecoaaron wrote:

      There is a bug in the plugin where you can't add a key file if you used a passphrase to create it. If you use the key file first and then add a passphrase -or- all passphrases -or- all key files, it works fine. Not real high on my priority list to fix.
      That would definitely explain it :)

      BTW, I seem to recall that at some point we've discussed auto-open (unlock). E.g. specify a file path for a key file, which, if found, will auto-unlock and auto-mount the LUKS device. Is this on your list?

      Thanks!
    • doron wrote:

      BTW, I seem to recall that at some point we've discussed auto-open (unlock). E.g. specify a file path for a key file, which, if found, will auto-unlock and auto-mount the LUKS device. Is this on your list?
      It was but after some testing, I couldn't find a reliable way to do it with the key file being stored anywhere other than the OS drive (pretty much pointless). Since most people would probably want the key on a USB stick, I dropped the plan.
      omv 4.1.19 arrakis | 64 bit | 4.15 proxmox kernel | omvextrasorg 4.1.15
      omv-extras.org plugins source code and issue tracker - github

      Please read this before posting a question and this and this for docker questions.
      Please don't PM for support... Too many PMs!
    • ryecoaaron wrote:

      doron wrote:

      BTW, I seem to recall that at some point we've discussed auto-open (unlock). E.g. specify a file path for a key file, which, if found, will auto-unlock and auto-mount the LUKS device. Is this on your list?
      It was but after some testing, I couldn't find a reliable way to do it with the key file being stored anywhere other than the OS drive (pretty much pointless). Since most people would probably want the key on a USB stick, I dropped the plan.

      Umm, understood. Two comments still:
      1. To reliably work with an external storage device, wouldn't something like /dev/disk/by-uuid come handy?
      2. Agree with your main point - if the only key file location you can deliver is the OS drive, the feature would not be very interesting. That being said, even placing the key on the OS disk, which may seem pointless, might have some merit for some attack scenarios. For example, if all one cares about is that when they get rid of a drive (e.g. they replace a faulty one). data does not get exposed.
    • doron wrote:

      To reliably work with an external storage device, wouldn't something like /dev/disk/by-uuid come handy?
      You can't guarantee the external storage device would be mounted in time to get the unlock file.

      doron wrote:

      Agree with your main point - if the only key file location you can deliver is the OS drive, the feature would not be very interesting. That being said, even placing the key on the OS disk, which may seem pointless, might have some merit for some attack scenarios. For example, if all one cares about is that when they get rid of a drive (e.g. they replace a faulty one). data does not get exposed.
      It would be impossbile to allow the plugin to specify a location that is only on the root drive.
      omv 4.1.19 arrakis | 64 bit | 4.15 proxmox kernel | omvextrasorg 4.1.15
      omv-extras.org plugins source code and issue tracker - github

      Please read this before posting a question and this and this for docker questions.
      Please don't PM for support... Too many PMs!
    • ryecoaaron wrote:

      doron wrote:

      To reliably work with an external storage device, wouldn't something like /dev/disk/by-uuid come handy?
      You can't guarantee the external storage device would be mounted in time to get the unlock file.
      That depends on what you define as "in time". If the basic assumption is that we must mount early in the boot process, then indeed the key file won't be ready on time. However, if we instead assume that we "wait" for the file spec to become available, and once it is - we luksOpen and mount, this opens a new set of possibilities.

      We can then even automount the external filesystem with the key over some directory, and wait for the designated key file to "appear". Until it does, - the encrypted file system is not available.

      Makes sense?
    • doron wrote:

      Makes sense?
      Sounds great but how do you do that? The same system that mounts the filesystem with the key file in it (fstab) is going to try and mount the filesystem inside the LUKS container. This will fail since the container is not unlocked. You are supposed to be able to add disks containing key files in /etc/default/cryptdisks so they are mounted before the container is unlocked but I didn't have much luck with that.
      omv 4.1.19 arrakis | 64 bit | 4.15 proxmox kernel | omvextrasorg 4.1.15
      omv-extras.org plugins source code and issue tracker - github

      Please read this before posting a question and this and this for docker questions.
      Please don't PM for support... Too many PMs!