LUKS disk encryption plugin
-
- OMV 2.x
- igrnt
-
-
Looks I will have to update the kernel then?
Yep. It needs to either be compiled in or as a module.
-
Should be included.
modprobe dm-crypt
Dash not underscore. Don’t know why is this. Module files are withdash, but when loaded, lsmod outputs with underscore.
-
-
Should be included.
modprobe dm-crypt
Dash not underscore. Don’t know why is this. Module files are withdash, but when loaded, lsmod outputs with underscore.
Based on the config output, it isn't compiled in or a module since it is not set. So, it still probably won't load.
-
Finally managed to get LUKS installed via Addons. It is now there as well as the "encryption" topic under datastores. Attached is a 3.64TiB-HDD which has exactly one ext4-partition of 1.41TiB. Drive shows up under "drives" and partition shows up under "filesystems". Remainder of the disk is not allocated at the moment. When using "encryption -> create -> choose drive" no drive is presented. The dropdown-list is empty. What am i doing wrong?
Kind regards and thx
-
We typically don't have multiple partitions on a drive. The idea is to create a LUKS device on the entire device. In your case, you might need to create another partition (but no format) and then it might show up.
-
-
We typically don't have multiple partitions on a drive. The idea is to create a LUKS device on the entire device. In your case, you might need to create another partition (but no format) and then it might show up.
Seems to be a more global issue: If going to "filesystems -> create", it also presents no drive. Creating a second non-formatted partition after the 1.41TiB-ext4 one with command line parted also did not solve the problem, no change.
Is there a chance to create the luks-partition "by hand" outside the web-GUI ? I simply don't want to spend the whole drive for the NAS. -
I simply don't want to spend the whole drive for the NAS.
What else are you using it for? OMV doesn't do well when you connect/disconnect drives...
Is there a chance to create the luks-partition "by hand" outside the web-GUI ?
Yep, just like any other Debian/Ubuntu box. cryptsetup luksFormat /dev/sdXY (need to replace xy)
-
OK, I've erased the whole disk and converted it completely to the luks encryption plugin. I did all that completely with the web-GUI. But now the transfer speed from my PC to the RaspberryPi with the OMV-NAS drive slowed down from 5 MB/sec to 2.5 MB/sec. Is tehre any chance to accelerate. I agree, that encryption costs performance, but 50 percent is a lot.
-
-
I am unsure about the use of encryption. What is the order with a Raid mirror?
1. create raid
2. wait for creation
3. create and save the key
4. create file system ext4
5. approvalsThat should also work with omv3?
-
transfer speed from my PC to the RaspberryPi with the OMV-NAS drive slowed down from 5 MB/sec to 2.5 MB/sec
Insane. IIRC ayufan (maintainer of the great OMV image for ROCK64) has reported ~70MB/s NAS throughput with luks encryption active. Not on a toy (RPi) but on a SBC of the same size suitable for NAS use cases. Differences:
- sane power connector and not this unreliable Micro USB crap on Raspberries
- real Gigabit Ethernet (and not USB like on Raspberries having even to share bandwidth with all USB receptacles)
- two real USB2 ports and one real USB3 port (and not just one USB2 port with an internal USB hub where even the slow 'Fast Ethernet' port is behind)
- 64-bit ARMv8 SoC just like the one on RPi 3 but not crippled and able to make use of ARMv8 AES crypto extensions
LUKS on ARM works flawlessly if you check the basic requirements first (rule of thumb: avoid Raspberry Pi for anything network/NAS/storage related)
-
Are there any known passphrase requirements when using LUKS encryption through the GUI, such as disallowed special characters? I ask because today I added a new encrypted partition using the plugin, and attempted to add another key using randomly generated passphrases that included all ASCII printable characters as possibilities.
They didn't seem to work, as I kept getting the following error message:
Unable to add the key to the encrypted device: Failed to execute command 'export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin; export LANG=C; /bin/bash -c 'echo -n 'Password1' | cryptsetup luksAddKey -q '/dev/sdb2' --key-file=- <(echo -n 'A&8V#feFBhSbOsSduxDmVc)Y)oZcfoOQ')' 2>&1' with exit code '2':After testing different combination, it appears that any use of either parenthesis sign () causes this error. A new passphrase without the parenthesis is working, but I wanted to check to ensure there are not other requirements that I am unware of that could cause future access issues. Thanks
EDIT: Also just found that a passphrase with the ampersand & would not enter in the GUI to add a key. That's not a problem, as long as I'm not able to add a key that would later not work to unlock.
However, I also found that the following passphrase was allowed to be added as a key through the GUI but will not unlock the partition: 4cSJD?O8%4nl$7dM3555mqTg$HH5vmbB, and yielded the following error when trying to unlock:
Error #0:
exception 'OMV\Exception' in /usr/share/openmediavault/engined/rpc/luks.inc:239
Stack trace:
#0 [internal function]: OMVRpcServiceLuksMgmt->openContainer(Array, Array)
#1 /usr/share/php/openmediavault/rpc/serviceabstract.inc(124): call_user_func_array(Array, Array)
#2 /usr/share/php/openmediavault/rpc/rpc.inc(86): OMV\Rpc\ServiceAbstract->callMethod('openContainer', Array, Array)
#3 /usr/sbin/omv-engined(536): OMV\Rpc\Rpc::call('LuksMgmt', 'openContainer', Array, Array, 1)
#4 {main}This is more a concern as being able to add a password that may not be parsed correctly when recorded for a key would be an issue. There may be another issue here I'm not seeing, but I'm copying and pasting the password each time so I know that's at least correct.
I'm going to use only numbers and letters from now on in passphrase which is not a big deal, but would like to know the specific requirements if someone knows
-
-
While the password is escaped for the shell, it is not enclosed in single quotes. I will look at changing this. Until then avoid characters that are interpreted by the bash shell like parentheses, ampersand, and dollar symbols.
-
-
Wipe the drive in the physical disks tab that you want to use with LUKS.
-
-
Thanks for your response, i'll tested this when i have made a backup ...
-
i have tested, it's ok
For information automount on crontab with passphrase
echo $pass | sudo cryptsetup luksOpen /dev/sdXX sdXX -d -mount/umount for rsync or other ...
sudo mount -o rw,nosuid,nodev /dev/mapper/cryptdisk /media/cryptdisksudo umount /media/cryptdisk -
For information automount on crontab with passphrase
echo $pass | sudo cryptsetup luksOpen /dev/sdXX sdXX -d -That defeat the purpose of encrypted devices...unless the system partition is also encrypted and unlocked on boot manually?
-
-
Exactly but you can store the paraphrase in google drive or an other server
-
That defeat the purpose of encrypted devices...unless the system partition is also encrypted and unlocked on boot manually?
Not quite. If someone stole the entire system, it wouldn't help. But if a drive was stolen or had to returned for warranty reasons, it does the job.
Jetzt mitmachen!
Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!