LUKS disk encryption plugin

  • Looks I will have to update the kernel then?


    Code
    root@#####:~# modprobe dm_crypt
    modprobe: FATAL: Module dm_crypt not found.
    root@#####:~# grep -i dm_crypt /boot/*
    grep: /boot/System Volume Information: Is a directory
    /boot/config-4.11.2-h5:# CONFIG_DM_CRYPT is not set
    root@#####:~#
    • Offizieller Beitrag

    Looks I will have to update the kernel then?

    Yep. It needs to either be compiled in or as a module.

    omv 7.0-32 sandworm | 64 bit | 6.5 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.9 | compose 7.0.9 | cputemp 7.0 | mergerfs 7.0.3


    omv-extras.org plugins source code and issue tracker - github


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

    • Offizieller Beitrag

    Should be included.


    modprobe dm-crypt


    Dash not underscore. Don’t know why is this. Module files are withdash, but when loaded, lsmod outputs with underscore.

    Based on the config output, it isn't compiled in or a module since it is not set. So, it still probably won't load.

    omv 7.0-32 sandworm | 64 bit | 6.5 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.9 | compose 7.0.9 | cputemp 7.0 | mergerfs 7.0.3


    omv-extras.org plugins source code and issue tracker - github


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

  • Finally managed to get LUKS installed via Addons. It is now there as well as the "encryption" topic under datastores. Attached is a 3.64TiB-HDD which has exactly one ext4-partition of 1.41TiB. Drive shows up under "drives" and partition shows up under "filesystems". Remainder of the disk is not allocated at the moment. When using "encryption -> create -> choose drive" no drive is presented. The dropdown-list is empty. What am i doing wrong?


    Kind regards and thx

    • Offizieller Beitrag

    We typically don't have multiple partitions on a drive. The idea is to create a LUKS device on the entire device. In your case, you might need to create another partition (but no format) and then it might show up.

    omv 7.0-32 sandworm | 64 bit | 6.5 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.9 | compose 7.0.9 | cputemp 7.0 | mergerfs 7.0.3


    omv-extras.org plugins source code and issue tracker - github


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

  • We typically don't have multiple partitions on a drive. The idea is to create a LUKS device on the entire device. In your case, you might need to create another partition (but no format) and then it might show up.

    Seems to be a more global issue: If going to "filesystems -> create", it also presents no drive. Creating a second non-formatted partition after the 1.41TiB-ext4 one with command line parted also did not solve the problem, no change.
    Is there a chance to create the luks-partition "by hand" outside the web-GUI ? I simply don't want to spend the whole drive for the NAS.

    • Offizieller Beitrag

    I simply don't want to spend the whole drive for the NAS.

    What else are you using it for? OMV doesn't do well when you connect/disconnect drives...


    Is there a chance to create the luks-partition "by hand" outside the web-GUI ?

    Yep, just like any other Debian/Ubuntu box. cryptsetup luksFormat /dev/sdXY (need to replace xy)

    omv 7.0-32 sandworm | 64 bit | 6.5 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.9 | compose 7.0.9 | cputemp 7.0 | mergerfs 7.0.3


    omv-extras.org plugins source code and issue tracker - github


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

  • OK, I've erased the whole disk and converted it completely to the luks encryption plugin. I did all that completely with the web-GUI. But now the transfer speed from my PC to the RaspberryPi with the OMV-NAS drive slowed down from 5 MB/sec to 2.5 MB/sec. Is tehre any chance to accelerate. I agree, that encryption costs performance, but 50 percent is a lot.

  • transfer speed from my PC to the RaspberryPi with the OMV-NAS drive slowed down from 5 MB/sec to 2.5 MB/sec

    Insane. IIRC ayufan (maintainer of the great OMV image for ROCK64) has reported ~70MB/s NAS throughput with luks encryption active. Not on a toy (RPi) but on a SBC of the same size suitable for NAS use cases. Differences:

    • sane power connector and not this unreliable Micro USB crap on Raspberries
    • real Gigabit Ethernet (and not USB like on Raspberries having even to share bandwidth with all USB receptacles)
    • two real USB2 ports and one real USB3 port (and not just one USB2 port with an internal USB hub where even the slow 'Fast Ethernet' port is behind)
    • 64-bit ARMv8 SoC just like the one on RPi 3 but not crippled and able to make use of ARMv8 AES crypto extensions

    LUKS on ARM works flawlessly if you check the basic requirements first (rule of thumb: avoid Raspberry Pi for anything network/NAS/storage related)

  • Are there any known passphrase requirements when using LUKS encryption through the GUI, such as disallowed special characters? I ask because today I added a new encrypted partition using the plugin, and attempted to add another key using randomly generated passphrases that included all ASCII printable characters as possibilities.


    They didn't seem to work, as I kept getting the following error message:
    Unable to add the key to the encrypted device: Failed to execute command 'export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin; export LANG=C; /bin/bash -c 'echo -n 'Password1' | cryptsetup luksAddKey -q '/dev/sdb2' --key-file=- <(echo -n 'A&8V#feFBhSbOsSduxDmVc)Y)oZcfoOQ')' 2>&1' with exit code '2':


    After testing different combination, it appears that any use of either parenthesis sign () causes this error. A new passphrase without the parenthesis is working, but I wanted to check to ensure there are not other requirements that I am unware of that could cause future access issues. Thanks


    EDIT: Also just found that a passphrase with the ampersand & would not enter in the GUI to add a key. That's not a problem, as long as I'm not able to add a key that would later not work to unlock.
    However, I also found that the following passphrase was allowed to be added as a key through the GUI but will not unlock the partition: 4cSJD?O8%4nl$7dM3555mqTg$HH5vmbB, and yielded the following error when trying to unlock:
    Error #0:
    exception 'OMV\Exception' in /usr/share/openmediavault/engined/rpc/luks.inc:239
    Stack trace:
    #0 [internal function]: OMVRpcServiceLuksMgmt->openContainer(Array, Array)
    #1 /usr/share/php/openmediavault/rpc/serviceabstract.inc(124): call_user_func_array(Array, Array)
    #2 /usr/share/php/openmediavault/rpc/rpc.inc(86): OMV\Rpc\ServiceAbstract->callMethod('openContainer', Array, Array)
    #3 /usr/sbin/omv-engined(536): OMV\Rpc\Rpc::call('LuksMgmt', 'openContainer', Array, Array, 1)
    #4 {main}


    This is more a concern as being able to add a password that may not be parsed correctly when recorded for a key would be an issue. There may be another issue here I'm not seeing, but I'm copying and pasting the password each time so I know that's at least correct.


    I'm going to use only numbers and letters from now on in passphrase which is not a big deal, but would like to know the specific requirements if someone knows

    • Offizieller Beitrag

    While the password is escaped for the shell, it is not enclosed in single quotes. I will look at changing this. Until then avoid characters that are interpreted by the bash shell like parentheses, ampersand, and dollar symbols.

    omv 7.0-32 sandworm | 64 bit | 6.5 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.9 | compose 7.0.9 | cputemp 7.0 | mergerfs 7.0.3


    omv-extras.org plugins source code and issue tracker - github


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

    • Offizieller Beitrag

    Wipe the drive in the physical disks tab that you want to use with LUKS.

    omv 7.0-32 sandworm | 64 bit | 6.5 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.9 | compose 7.0.9 | cputemp 7.0 | mergerfs 7.0.3


    omv-extras.org plugins source code and issue tracker - github


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

  • i have tested, it's ok


    For information automount on crontab with passphrase
    echo $pass | sudo cryptsetup luksOpen /dev/sdXX sdXX -d -


    mount/umount for rsync or other ...
    sudo mount -o rw,nosuid,nodev /dev/mapper/cryptdisk /media/cryptdisksudo umount /media/cryptdisk

    • Offizieller Beitrag

    That defeat the purpose of encrypted devices...unless the system partition is also encrypted and unlocked on boot manually?

    Not quite. If someone stole the entire system, it wouldn't help. But if a drive was stolen or had to returned for warranty reasons, it does the job.

    omv 7.0-32 sandworm | 64 bit | 6.5 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.9 | compose 7.0.9 | cputemp 7.0 | mergerfs 7.0.3


    omv-extras.org plugins source code and issue tracker - github


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!