[HowTo] OMV 4.x LUKS Full Disk Encryption, unlock via SSH

    • OMV 4.x
    • 3rd-party

    This site uses cookies. By continuing to browse this site, you are agreeing to our Cookie Policy.

    • [HowTo] OMV 4.x LUKS Full Disk Encryption, unlock via SSH

      Installation of OMV 4.x LUKS with full disk encryption of the root device, unlockable via SSH

      Introduction


      As a personal endeavour I wanted to achieve a full encrypted OMV system.
      I had to do the setup several times, as I kept forgetting some trivial steps.

      With the write-down I hope to remember and maybe it is of some value to share, as I was not able to find similar on the forums.
      The resources found on this topic of course are wide spread but always focussing on some things.

      Setup Steps

      are maintained on github

      Source Code

      1. https://github.com/gandalfb/openmediavault-full-disk-encryption


      My Setup

      - OMV installed on 1x 128GB SSD
      - 4x 4TB with SnapRaid and mergerfs (via OMV extra plugins)
      - i5 Ivy with 16GB for getting started (old PC)

      The idea

      - full disk encryption of every device
      - unlock via ssh at boottime
      - the approach should work with a system already in use as all data is preserved from the drive

      The approach

      - already running OMV setup
      - install and configure OMV to use dropbear initram ssh
      - change SSD disk layout to be LUKS encrypted (excluding /boot)
      - use key-file within root device to unlock all data drives (decrypt_derived from the manuals is not working with systemd, due to keyscript= being ignored)
      - swap encryption
      - with an encrypted root device, use OMV to further setup data drives

      OMV Plugins

      - the OMV encryption plugin is very handy lateron for i.e. backup of the header, etc. and fully able to manage the devices

      Keep in mind

      - maybe use livecd coming with OMV and the "boot once" instead of dedicated USB
      - pre-up ip adr flush dev $IFACE broke my connection after bootup, but is not necessary
      - have a backup key on every luks device
      - use timeout in the crypttab during setup (data drives)
      - the setup should be easily adaptable and scalable
      - using docker ontop of mergerfs lead to various erros running containers
      - now the docker files and configs I use are on the SSD and the data drives with mergerfs pure data only
      - with the SSD encrypted as well, saving the configs there seems to be reasonable, although a RAID1 would maybe improve availability
      - of course this does not by any means makes backups unnecessary

      I do hope those learnings are worth sharing.

      The post was edited 1 time, last by thegandalf ().