LUKS disk encryption plugin

    • OMV 2.x

    This site uses cookies. By continuing to browse this site, you are agreeing to our Cookie Policy.

    • bestycame wrote:

      Looks I will have to update the kernel then?
      Yep. It needs to either be compiled in or as a module.
      omv 4.1.13 arrakis | 64 bit | 4.15 proxmox kernel | omvextrasorg 4.1.13
      omv-extras.org plugins source code and issue tracker - github

      Please read this before posting a question and this and this for docker questions.
      Please don't PM for support... Too many PMs!
    • subzero79 wrote:

      Should be included.

      modprobe dm-crypt

      Dash not underscore. Don’t know why is this. Module files are withdash, but when loaded, lsmod outputs with underscore.
      Based on the config output, it isn't compiled in or a module since it is not set. So, it still probably won't load.
      omv 4.1.13 arrakis | 64 bit | 4.15 proxmox kernel | omvextrasorg 4.1.13
      omv-extras.org plugins source code and issue tracker - github

      Please read this before posting a question and this and this for docker questions.
      Please don't PM for support... Too many PMs!
    • Finally managed to get LUKS installed via Addons. It is now there as well as the "encryption" topic under datastores. Attached is a 3.64TiB-HDD which has exactly one ext4-partition of 1.41TiB. Drive shows up under "drives" and partition shows up under "filesystems". Remainder of the disk is not allocated at the moment. When using "encryption -> create -> choose drive" no drive is presented. The dropdown-list is empty. What am i doing wrong?

      Kind regards and thx
    • We typically don't have multiple partitions on a drive. The idea is to create a LUKS device on the entire device. In your case, you might need to create another partition (but no format) and then it might show up.
      omv 4.1.13 arrakis | 64 bit | 4.15 proxmox kernel | omvextrasorg 4.1.13
      omv-extras.org plugins source code and issue tracker - github

      Please read this before posting a question and this and this for docker questions.
      Please don't PM for support... Too many PMs!
    • ryecoaaron wrote:

      We typically don't have multiple partitions on a drive. The idea is to create a LUKS device on the entire device. In your case, you might need to create another partition (but no format) and then it might show up.
      Seems to be a more global issue: If going to "filesystems -> create", it also presents no drive. Creating a second non-formatted partition after the 1.41TiB-ext4 one with command line parted also did not solve the problem, no change.
      Is there a chance to create the luks-partition "by hand" outside the web-GUI ? I simply don't want to spend the whole drive for the NAS.
    • fmomv wrote:

      I simply don't want to spend the whole drive for the NAS.
      What else are you using it for? OMV doesn't do well when you connect/disconnect drives...

      fmomv wrote:

      Is there a chance to create the luks-partition "by hand" outside the web-GUI ?
      Yep, just like any other Debian/Ubuntu box. cryptsetup luksFormat /dev/sdXY (need to replace xy)
      omv 4.1.13 arrakis | 64 bit | 4.15 proxmox kernel | omvextrasorg 4.1.13
      omv-extras.org plugins source code and issue tracker - github

      Please read this before posting a question and this and this for docker questions.
      Please don't PM for support... Too many PMs!
    • OK, I've erased the whole disk and converted it completely to the luks encryption plugin. I did all that completely with the web-GUI. But now the transfer speed from my PC to the RaspberryPi with the OMV-NAS drive slowed down from 5 MB/sec to 2.5 MB/sec. Is tehre any chance to accelerate. I agree, that encryption costs performance, but 50 percent is a lot.

      The post was edited 1 time, last by fmomv ().

    • fmomv wrote:

      transfer speed from my PC to the RaspberryPi with the OMV-NAS drive slowed down from 5 MB/sec to 2.5 MB/sec
      Insane. IIRC ayufan (maintainer of the great OMV image for ROCK64) has reported ~70MB/s NAS throughput with luks encryption active. Not on a toy (RPi) but on a SBC of the same size suitable for NAS use cases. Differences:
      • sane power connector and not this unreliable Micro USB crap on Raspberries
      • real Gigabit Ethernet (and not USB like on Raspberries having even to share bandwidth with all USB receptacles)
      • two real USB2 ports and one real USB3 port (and not just one USB2 port with an internal USB hub where even the slow 'Fast Ethernet' port is behind)
      • 64-bit ARMv8 SoC just like the one on RPi 3 but not crippled and able to make use of ARMv8 AES crypto extensions
      LUKS on ARM works flawlessly if you check the basic requirements first (rule of thumb: avoid Raspberry Pi for anything network/NAS/storage related)
    • Are there any known passphrase requirements when using LUKS encryption through the GUI, such as disallowed special characters? I ask because today I added a new encrypted partition using the plugin, and attempted to add another key using randomly generated passphrases that included all ASCII printable characters as possibilities.

      They didn't seem to work, as I kept getting the following error message:
      Unable to add the key to the encrypted device: Failed to execute command 'export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin; export LANG=C; /bin/bash -c 'echo -n 'Password1' | cryptsetup luksAddKey -q '/dev/sdb2' --key-file=- <(echo -n 'A&8V#feFBhSbOsSduxDmVc)Y)oZcfoOQ')' 2>&1' with exit code '2':

      After testing different combination, it appears that any use of either parenthesis sign () causes this error. A new passphrase without the parenthesis is working, but I wanted to check to ensure there are not other requirements that I am unware of that could cause future access issues. Thanks

      EDIT: Also just found that a passphrase with the ampersand & would not enter in the GUI to add a key. That's not a problem, as long as I'm not able to add a key that would later not work to unlock.
      However, I also found that the following passphrase was allowed to be added as a key through the GUI but will not unlock the partition: 4cSJD?O8%4nl$7dM3555mqTg$HH5vmbB, and yielded the following error when trying to unlock:
      Error #0:
      exception 'OMV\Exception' in /usr/share/openmediavault/engined/rpc/luks.inc:239
      Stack trace:
      #0 [internal function]: OMVRpcServiceLuksMgmt->openContainer(Array, Array)
      #1 /usr/share/php/openmediavault/rpc/serviceabstract.inc(124): call_user_func_array(Array, Array)
      #2 /usr/share/php/openmediavault/rpc/rpc.inc(86): OMV\Rpc\ServiceAbstract->callMethod('openContainer', Array, Array)
      #3 /usr/sbin/omv-engined(536): OMV\Rpc\Rpc::call('LuksMgmt', 'openContainer', Array, Array, 1)
      #4 {main}

      This is more a concern as being able to add a password that may not be parsed correctly when recorded for a key would be an issue. There may be another issue here I'm not seeing, but I'm copying and pasting the password each time so I know that's at least correct.

      I'm going to use only numbers and letters from now on in passphrase which is not a big deal, but would like to know the specific requirements if someone knows

      The post was edited 2 times, last by ml1950 ().

    • While the password is escaped for the shell, it is not enclosed in single quotes. I will look at changing this. Until then avoid characters that are interpreted by the bash shell like parentheses, ampersand, and dollar symbols.
      omv 4.1.13 arrakis | 64 bit | 4.15 proxmox kernel | omvextrasorg 4.1.13
      omv-extras.org plugins source code and issue tracker - github

      Please read this before posting a question and this and this for docker questions.
      Please don't PM for support... Too many PMs!
    • Hello

      I have an problem with luks encryption plugins
      I use OMV 3

      i have installed the plugins correctly

      I can't create any encrypted device, could you help me?

      Images
      • hard_disk.jpg

        38.66 kB, 1,154×265, viewed 114 times
      • raid.jpg

        24.84 kB, 1,149×285, viewed 90 times
      • encryption.jpg

        25.31 kB, 1,152×261, viewed 94 times
      • create_encrypted_device.jpg

        31.47 kB, 502×346, viewed 101 times
    • Wipe the drive in the physical disks tab that you want to use with LUKS.
      omv 4.1.13 arrakis | 64 bit | 4.15 proxmox kernel | omvextrasorg 4.1.13
      omv-extras.org plugins source code and issue tracker - github

      Please read this before posting a question and this and this for docker questions.
      Please don't PM for support... Too many PMs!
    • snow3461 wrote:

      That defeat the purpose of encrypted devices...unless the system partition is also encrypted and unlocked on boot manually?
      Not quite. If someone stole the entire system, it wouldn't help. But if a drive was stolen or had to returned for warranty reasons, it does the job.
      omv 4.1.13 arrakis | 64 bit | 4.15 proxmox kernel | omvextrasorg 4.1.13
      omv-extras.org plugins source code and issue tracker - github

      Please read this before posting a question and this and this for docker questions.
      Please don't PM for support... Too many PMs!