[Plugin test] openmediavault-luksencryption v2

    • OMV 4.x
    • Resolved

    This site uses cookies. By continuing to browse this site, you are agreeing to our Cookie Policy.

    • [Plugin test] openmediavault-luksencryption v2

      The current status of the luks encryption plugin originally created by @igrnt has two main problems when running in omv server:

      1) When the system boot, disks are un-decrypted, this generates the fstab entries fail to mount. Dependant services that use that disk to hold data or configuration, and need that path available when starting can or will fail also to start. Docker is one of them

      2) There is no crypttab.

      I decided to modify the plugin to address this two main issues.
      This plugin modification addresses the first issue completely and the second issue partially. The plugin mechanics for the first problem is based on this approach:

      blog.iwakd.de/headless-luks-decryption-via-ssh

      This covers basically creating a new default target that will only starts basic necessary services (ssh). Two additional targets are also created. The first one will decrypt drives, the second one will mount them to finally reach graphical or multi-user.target.

      What does the plugin do:

      - There is a new tab that hold to panels. Settings panel and crypttab grid panel
      - The settings panel will allow you:
      1) Enable the before-decrypt.target. This will add to the internal database of omv noauto to all fstab entries and regenerate also fstab. This will also disable all /sharedfolders systemd units. All drives (including non encrypted ones) will no longer be mounted by fstab on boot.
      2) Optional: Select a drive (usb flash drive for example) that will hold all the decryption file keys
      - Crypttab grid: You can submit an encrypted drive to /etc/crypttab. There you add file name for the decryption key if you want automated decrypt. Is important here to add all the encrypted drives for unlocking. Is not a full crypttab as is not possible to submit all options there.

      After a reboot you will be able to log into ssh and run the command omv-luks-start to proceed with decryption and after that it will follow up to start services.

      A couple of scenarios for the plugin:

      Drives encrypted with passphrase: ssh login, run omv-luks-start, systemd will prompt for all passwords to unlock, mount and activate all remaining services

      Drives encrypted with keyfiles in a non-encrypted drive: not necessary to login with ssh, if the drive is present or the the disk is plugged it will trigger the decrypt.target following unlocking, mounting and activation of all remaining services. All drives must have a keyfile assigned.

      Drives encrypted with keyfiles in an encrypted disk: ssh login, run omv-luks-start, you will be prompted for the keydisk passphrase the unlocking for the rest of the encrypted disks should be automatically, including mounting and service start. The key disk will be closed


      This is not official omv-extras plugin, is published here for people that are interested to test it and have some feedback about it. Once it is probed it works I might consider doing a PR.

      The source is here

      github.com/subzero79/openmedia…cryption/tree/advsettings

      You can download it the built package here

      Notes:

      - There is a lot of problems using LUKS, Zfs and omv4 in conjuction. When enabling before-decrypt.target first make sure the whole system is clean. This means Zfs mounts are correctly mounted, /sharedfolders also, drives decrypted.
      - If you decide to go back to the official version, make sure you empty your browser cache after downgrade to clean the visual js elements of the plugins.

      Changed 06-03-2017:
      - The device mapper name cannot be left empty submitting elements to the crypttab
      - Get rid of the spinner script
      - Fix clean trap when using keydevice
      - The dropdown combo menu from crypttab now selects devices not in the crypttab database
      New wiki
      chat support at #openmediavault@freenode IRC | Spanish & English | GMT+10
      telegram.me/openmediavault broadcast channel
      openmediavault discord server

      The post was edited 4 times, last by subzero79 ().

    • Hi Subzero,

      thank you so, so much for this great enhancement of the encryption plugin. This was exactly I was looking for the last months. I really like to have my data partitions encrypted and I used the "regular" plugin for this task. But I always had problems after restarting my nas getting all the services, that rely on the decrypted data partition, to work again (especially docker). Normally I needed to perform several service restarts and plugin activating and deactivating.

      With your modifications it now works as it should. After restarting everything is "on hold" until I decrypt the luks paratition with your script.

      I only had few problems that I want to share with you as feedback:
      1. I use a network bond on my NAS. With installing your plugin, the network was not available in the "before-decrypt" stage. I needed to create an dependency for the before-decrypt target that points to "networking.service", to make sure, my bond is online.
      2. When running your script "omv-luks-start" everything works, but I get a warning that a dependency for mount-luks failed. This seems to be comsetic to me, because everything is decrypted
      3. I needed to Implement an delay in the unit-file for the docker service, as it seems that docker started to quickly, before everything was mounted and it was hit and miss whether or not docker was startet correctly. An 5 second delay works good for me.

      Just wanted to let you know how happy I am about your contribution.

      Cheers
      Michael
    • Thanks for the feedback. Network should be available otherwise this mod would be pointless. I’ll try to replicate in a vm with bond. But I assume it worked because networking gets pulled by ssh, shouldn’t make a difference for bond.

      I use this setup in my own server and use docker, but the docker root folder is not encrypted, is yours encrypted ? I would have a to add an extra check for this.

      For the script error, it would help me if you can describe your setup number of disks, size, raid on top, etc. Did you use a key disk? Or you’re prompted for passphrase for each disk?
      New wiki
      chat support at #openmediavault@freenode IRC | Spanish & English | GMT+10
      telegram.me/openmediavault broadcast channel
      openmediavault discord server
    • Hi Subzero,

      thanks for your prompt reply. I didn't wanted to make you additional work with my feedback. I think most of my irreguarities come from my "special" setup (Bonding etc.).

      First and foremost I am happy with the Plugin and just wanted to let you know.

      For your questions:
      1. SSH pully network.service on my system, but that doesn't initialize the bond, so I got no IP at this stage. Only networking initializes the interface configured in /etc/network/interfaces
      2. Yes, my docker is on an encrypted root.
      3. I do have 3 Disks with an RAID-5 on top. Each Disk is 8TB in size. At this time about 50% Space is used.
      4. I do not use an disk-key. I am prompted for the passphrase one time for the whole RAID.

      Kind Regards
      Michael
    • I have a problem adding an extra key to an encrypted device fro the web-gui. I select a device, press "keys>add", enter current and new passprhases, "add" and no extra keys appear. The gui reports 1/8 keyslots, just like before. Adding a key from ssh works:


      Source Code

      1. # cryptsetup luksAddKey /dev/sdb
      2. Enter any existing passphrase:
      3. Enter new passphrase for key slot:
      4. Verify passphrase:
      5. # cryptsetup luksDump /dev/sdb | grep Slot
      6. Key Slot 0: ENABLED
      7. Key Slot 1: ENABLED
      8. Key Slot 2: DISABLED
      9. Key Slot 3: DISABLED
      10. Key Slot 4: DISABLED
      11. Key Slot 5: DISABLED
      12. Key Slot 6: DISABLED
      13. Key Slot 7: DISABLED
      Display All
      Would be also nice, if the plugin allowed using the same passphrase for multiple disks out of the box without the need to setup an additional key-disk.

      The post was edited 1 time, last by Burning Daylight ().