LUKS disk encryption plugin

    • OMV 2.x

    This site uses cookies. By continuing to browse this site, you are agreeing to our Cookie Policy.

    • I guess you could describe aufs as an overlay type thing, but I am not very fluent in any of this stuff, so there may be a better choice.

      And yes, I agree that 'mount -a' would have the unintended side effects you describe.

      Also, I find that I must manually umount that aufs mount point before the disk can be locked. This is becasue I added all those aufs mount points into /etc/fstab by hand. I am not sure if OMV could have been used to do that. They are below from my fstab, maybe someone can elaborate on how OMV might be able to create them - but I suspect the Union Filesystems plugin lacks that kind of granularity for my use case. /home/sftp is a chroot folder.

      # >>> [sftp]
      none /home/sftp/outgoing/movies aufs br:/media/41991950-4d12-4475-86b8-ba54ec09323b/multimedia-content-d1/movies 0 0
      none /home/sftp/outgoing/music aufs br:/media/41991950-4d12-4475-86b8-ba54ec09323b/multimedia-content-d1/music 0 0
      none /home/sftp/outgoing/tv-series aufs br:/media/41991950-4d12-4475-86b8-ba54ec09323b/multimedia-content-d1/tv-series 0 0
      none /home/sftp/outgoing/test aufs br:/media/2d02dbfc-9995-4ddd-934a-22265ac7f919/multimedia-content-d3/movies 0 0
      # <<< [sftp]
      OMV 3.x - ASRock Rack C2550D4I - 16GB ECC - Silverstone DS380

      The post was edited 1 time, last by gderf ().

    • I'll have to load up the aufs plugin in my Dev OMV and test it out, however two points come to mind:

      1) yes, the plugin prevents you from locking disks that are in use, e.g. have mounted filesystems. Even if you could press that button for a mounted device though, it wouldn't work as the system/kernel itself would complain that the encrypted device was in use. So, yes, you have to unmount filesystems before you can lock (and in turn, OMV may make you remove shared folders etc, before you can unmount).

      2) I don't think you need aufs for your use case. You don't appear to be making a union of multiple filesystems, it looks like you're just doing an additional mount of the fs inside the chroot so that ftp users can access it. You don't need aufs for this, you may be able to do it with symlinks (tho they might not work in the chroot), or a bind mount, or maybe even just another normal mount.
    • Well, I didn't show all of the aufs mountpoints. I need to mount multiple folders on multiple drives to a single mountpoint. Here is the full one I should have posted, all on one line, but split here:

      none /home/sftp/outgoing/movies aufs br:/media/41991950-4d12-4475-86b8-ba54ec09323b/multimedia-content-d1/movies:/media/a6e6252d-5a8f-4e9b-88b3-46bef35b01a0/multimedia-content-d2/movies 0 0

      The above mounts two folders on two separate drives to a single folder. This will grow over time as I add drives.
      OMV 3.x - ASRock Rack C2550D4I - 16GB ECC - Silverstone DS380
    • Ah, yes, that does need aufs then.
      I also don't think aufs is going to work in the OMV like a normal filesystem then.

      Does the aufs fs fail to mount if the devices aren't unlocked? Or does it mount but is empty? In which case, perhaps the udba=reval or udba=notify mount options might help? So that when the underlying branches are unlocked, the data appears in the union. You might be able to do this with symlinks too, using them as the bridges in the aufs union so that it will mount (but be empty) when the devices are locked.
      Anyway, this is getting more into aufs than LUKS!
    • Obviously I am misusing aufs, except in the one case (so far) where I really do need it. But that need will grow over time as I add disks, and I am doing that now - I just want to move to encrypted disks as I add them.

      The folder where the encrypted disk is mounted to is empty until the disk is unlocked, mounted, and since I hung it off an aufs mountpoint, 'mount -a' was run. Obviously a major kludge :) But eventually I would hang that disk off the same aufs mountpoint that the other two are on now - once I am sure LUKS is for me.

      I'll look into your suggestions about udba=reval or udba=notify mount options. And I'll discontinue aufs conversations here :)

      One thing I just noticed is that when I unlock that disk, it no longer automounts. Or was I imagining that it did earlier? I rebooted and tried again, but it still shows as unmounted in the File Systems panel after unlocking. I can try deleting the disk and recreating it as there is nothing but unimportant test data init anyway.

      Could you consider another suggestion? When I am done typing the passphrase in to unlock a disk, it would be helpful if hitting the 'Enter' key with the cursor at the end of the passphrase could do the same thing as pressing the Unlock button with the mouse.

      Thanks again for your time, and the plugin!
      OMV 3.x - ASRock Rack C2550D4I - 16GB ECC - Silverstone DS380
    • Start another aufs thread, happy to help if I can.

      It should automount if it was previously mounted in the Filesystems panel, however, if you use the Filesystems panel to unmount it, that also removes it from the config and fstab, so automounting won't work. Test by unmounting from the console or rebooting, not by clicking unmount in the WebGUI.

      Yes, I couldn't figure out how to make return work like clicking the button - it annoys me too! But the OMV login window does it, so I must be able to do it somehow, there must be something I am missing.
    • I hope this is the right place to report potential bugs. If not, let me know and move the post accordingly.

      I have added additional passphrases to a disk and I am trying to use the Keys | Test function. It tells me this for every passphrase I test. All the passphrases will actually unlock the disk:

      Error: The passphrase did not unlock any key slot on the device

      Show Details gives:

      Error #6000:
      exception 'OMVException' with message 'The passphrase did not unlock any key slot on the device' in /usr/share/openmediavault/engined/rpc/luks.inc:652
      Stack trace:
      #0 [internal function]: OMVRpcServiceLuksMgmt->testContainerPassphrase(Array, Array)
      #1 /usr/share/php/openmediavault/rpcservice.inc(125): call_user_func_array(Array, Array)
      #2 /usr/share/php/openmediavault/rpc.inc(79): OMVRpcServiceAbstract->callMethod('testContainerPa...', Array, Array)
      #3 /usr/sbin/omv-engined(500): OMVRpc::exec('LuksMgmt', 'testContainerPa...', Array, Array, 1)
      #4 {main}
      OMV 3.x - ASRock Rack C2550D4I - 16GB ECC - Silverstone DS380

      The post was edited 1 time, last by gderf ().

    • Totally the right place for bugs and just what I want to hear (well, other than it working perfectly of course!).
      That does sound strange. Can you supply some more info: What version of the plugin? What version of cryptsetup (if poss)? And does the passphrase unlock from both the WebGUI and command line (with cryptsetup)?
    • Plugin version: openmediavault-luksencryption_1.3.2_all.deb
      Cryptsetup version: 2:1.4.3-4

      All the passphrases will unlock the disk from the WebGUI. I didn't try from the commandline - can you provide the syntax? I tried the man page but was overwhelmed!
      OMV 3.x - ASRock Rack C2550D4I - 16GB ECC - Silverstone DS380
    • That command throws an unknown option error:

      root@omv:~# cryptsetup -v --test-passphrase /dev/sdd

      Usage: cryptsetup [-?vyrq] [-?|--help] [--usage] [--version] [-v|--verbose] [--debug] [-c|--cipher=STRING] [-h|--hash=STRING] [-y|--verify-passphrase] [-d|--key-file=STRING]
      [--master-key-file=STRING] [--dump-master-key] [-s|--key-size=BITS] [-l|--keyfile-size=bytes] [--keyfile-offset=bytes] [--new-keyfile-size=bytes]
      [--new-keyfile-offset=bytes] [-S|--key-slot=INT] [-b|--size=SECTORS] [-o|--offset=SECTORS] [-p|--skip=SECTORS] [-r|--readonly] [-i|--iter-time=msecs] [-q|--batch-mode]
      [-t|--timeout=secs] [-T|--tries=INT] [--align-payload=SECTORS] [--header-backup-file=STRING] [--use-random] [--use-urandom] [--shared] [--uuid=STRING]
      [--allow-discards] [--header=STRING] [OPTION...] <action> <action-specific>]
      --test-passphrase: unknown option

      root@omv:~#
      OMV 3.x - ASRock Rack C2550D4I - 16GB ECC - Silverstone DS380
    • I am running the backports kernel here, should I try to track down and install a later cryptsetup anyway?

      apt-cache policy cryptsetup mentions 1.6.4-4~bpo70+1

      Also, don't forget to change that control file to allow install on OMV 2.1.18 ;)

      Thanks for your time.
      OMV 3.x - ASRock Rack C2550D4I - 16GB ECC - Silverstone DS380
    • Installed/upgraded from backports, test now works from the GUI, consider it solved. Thanks!

      Edit:

      But fails (differently now) from the commandline:

      root@omv:~# cryptsetup -v --test-passphrase /dev/sdd
      Usage: cryptsetup [-?vyrq] [-?|--help] [--usage] [--version] [-v|--verbose] [--debug] [-c|--cipher=STRING] [-h|--hash=STRING] [-y|--verify-passphrase] [-d|--key-file=STRING]
      [--master-key-file=STRING] [--dump-master-key] [-s|--key-size=BITS] [-l|--keyfile-size=bytes] [--keyfile-offset=bytes] [--new-keyfile-size=bytes]
      [--new-keyfile-offset=bytes] [-S|--key-slot=INT] [-b|--size=SECTORS] [-o|--offset=SECTORS] [-p|--skip=SECTORS] [-r|--readonly] [-i|--iter-time=msecs] [-q|--batch-mode]
      [-t|--timeout=secs] [-T|--tries=INT] [--align-payload=SECTORS] [--header-backup-file=STRING] [--use-random] [--use-urandom] [--shared] [--uuid=STRING]
      [--allow-discards] [--header=STRING] [--test-passphrase] [--tcrypt-hidden] [--tcrypt-system] [--tcrypt-backup] [-M|--type=STRING] [--force-password]
      [OPTION...] <action> <action-specific>
      cryptsetup: Unknown action.

      Edit 2:

      This works (added open action keyword)

      root@omv:~# cryptsetup -v open --test-passphrase /dev/sdd
      Enter passphrase for /dev/sdd:
      Key slot 1 unlocked.
      Command successful.
      root@omv:~#
      OMV 3.x - ASRock Rack C2550D4I - 16GB ECC - Silverstone DS380

      The post was edited 1 time, last by gderf ().

    • igrnt wrote:

      v1.4.0 is now available. Changes:
      • Add submit on enter key and focus initial field functionality to most window forms


      Expected behavior:

      Cursor placed in passphrase box when clicking on Unlock, etc.
      With cursor beyond last typed passphrase character, pressing Enter key acts like pressing Unlock button.


      Neither part of this seems to work for me. What am I missing?
      OMV 3.x - ASRock Rack C2550D4I - 16GB ECC - Silverstone DS380
    • gderf wrote:


      Expected behavior:

      Cursor placed in passphrase box when clicking on Unlock, etc.
      With cursor beyond last typed passphrase character, pressing Enter key acts like pressing Unlock button.


      Neither part of this seems to work for me. What am I missing?


      I dunno, just tested it in my clean VM, works for me exactly as you describe. Windows 7, Chrome 46, Firefox 38 - what browser are you using?