LUKS disk encryption plugin

    • OMV 2.x

    This site uses cookies. By continuing to browse this site, you are agreeing to our Cookie Policy.

    • igrnt wrote:

      fixed it in the latest version of the plugin (2.1.2), hopefully available online soon.

      It is there now.
      omv 4.1.8.2 arrakis | 64 bit | 4.15 proxmox kernel | omvextrasorg 4.1.8
      omv-extras.org plugins source code and issue tracker - github.com/OpenMediaVault-Plugin-Developers

      Please read this before posting a question.
      Please don't PM for support... Too many PMs!
    • Well decryption works.

      But how about encryption and decryption by user. Is that possible ?
      If yes, how is it implemented ?
      What I mean is, can anyone except admin decrypt the volume ?
      If its assigend to several user(s), can they somehow enter the(ir) key and decrypt the volume.
      Something like, there is a treasure map on the encrypted volume. Only I and my wife should be able to see it.
      When I'm gone, how could she decrypt the vm, when she doesn't understand anything of OMV ?
      And after she had a look she again wants no one else to be able to see the map, without rebooting the server.
      How could she encrypt the vm again ?

      Since I'm not absolutely sure if I did everything right when I set up the vm, here is what I did.
      Maybe I missed something.

      When the keys and decryption worked, I had to format the decrypted volume with ext4.
      I assigned the according access rights to the directory and mounted it to User1/.
      I also inserted it into SMB/CIFS.
      I was able to access it (read/write) from Win7.

      But when I tried to encrypt it on OMV, encryption wouldn't let me. Encryption is greyed out.
      When I rebooted the server, the encrypted vm wasn't accessable until I decrypted it on OMV.
      Then I could access it until next reboot.
      Point is, I don't want to reboot the machine every time I had a look at the encrypted vm.

      And something off toppic, but maybe someone has a suggestion. (even where to look :) )
      Is it possible to hide the directory on SMB/CIFS (Windows) to everyone who isnt at leased allowed reading ?

      Any suggestion ?
    • The encryption UI is only exposed to the administration user.
      You can't lock a container/volume that is in use, i.e. contains a mounted filesystem. The UI greys out the buttons to prevent this, but even if you try it manually via the command line, Linux will not let you lock it for the very same reason.
      So, to lock a container in the OMV UI, you must first remove shares, unmount filesystems, etc, so that it is not in use (referenced).

      Having said all that, I think that in your case, a different approach would suit you better. For example, why not just use an encrypted zip file? LUKS is designed for whole disk encryption, to protect data at rest, you are trying to implement something different.
      More technical, you could investigate ecryptfs instead, although not sure how well it would work with your SMB access model.
    • Well I thought about luks encryption again and intended to just mount the luks partition on top of my private file system.
      I couldn't find any place where I could set the mount point of the encrypted vm, and when I tried to link it into my vm, I had no access rights.

      Any posibility for that ?
    • I don't understand what you mean by mount on top of your private filesystem.
      Once you create a LUKS container, you then treatcit like a block device and create a filesystem in it (I thought you had done this already), then you can use that filesystem like any other in OMV, i.e. it is listed in the Filesystems panel, and you can mount it (at /media/<uuid>), create shares, etc.
    • Sorry for not being clear.

      I created a VM named User1 and I created a VM named User1-crypted.
      First one formated with ext4 and available through SMB/CIFS to Windows.
      The second is encrypted but not available to Windows, since the existance should not be disclosed to other users.

      That means, I would like to mount User1-crypt to a mount point in my home directory.
      A mount point like /media/<uuid>/User1/User1-crypt

      I already tried to link to User1-crypt by a soft link to my home directory.
      Its shown in my home directory, but I don't get access into User1-crypt.
      Now I thought I could mount the crypted vm to a mount point in my home directory.

      I hope that a bit more clear now.
    • No, he's saying you can see the work going on in the plugins (e.g. specifically for LUKS, here: github.com/OpenMediaVault-Plug…encryption/commits/master), and you might see a commit message saying something like 'updated to work with OMV 3' which would give you a clue.

      In the case of the LUKS plugin, I also tag releases here: github.com/OpenMediaVault-Plug…t-luksencryption/releases

      Long story short: I can tell you that the LUKS plugin is compatible with and already available for OMV 3.0.
    • igrnt wrote:

      Yes, there could be better information about available plugins (without having to install/upgrade OMV), the omv-extras.org web pages seem out of date. Having said that, OMV 3.0 is in beta still, so in that case it's fair enough to expect users to search forums/github.

      Not enough time to update the omv-extras page. I guess eventually I will just redirect it to this page (look at the erasmus repo for most plugins). This is the most accurate location of whether a plugin is available for OMV 3.x.
      omv 4.1.8.2 arrakis | 64 bit | 4.15 proxmox kernel | omvextrasorg 4.1.8
      omv-extras.org plugins source code and issue tracker - github.com/OpenMediaVault-Plugin-Developers

      Please read this before posting a question.
      Please don't PM for support... Too many PMs!
    • Thanks for this great plugin. I was wondering how it would work with an USB external drive using the usb-backup plugin. I'm using the usb-backup plugin for my data backup (it starts automatically when the usb is plugged in). If I want the external USB drive to be LUKS encrypted, I need to unlock it first. That interferes with this usb-backup process I guess. I have not tested it yet myself, and hope some other members have.

      Thanks, Ralph
      ASRock H97 Pro4 | 8Gb 1600 | i3 4130T | 3x WD Red 4TB with SnapRAID | Backup to Crashplan & External HDD