Current encryption support status

  • Hi guys,


    I read some older threads about encryption support but it didnt answer my questions.
    I want to know if it is possible to encrypt all data drives completely while still beeing able to have OMV recognize them as datadrives after they have been decrypted after startup.
    If it is truecrypt, dmcrypt or anything else, I don't care.
    The best option would be if I can encrypt the OMV drive with truecrypt manually (so that I need to enter the passwort when i reboot the OMV machine) and all the other drives (also encrypted by truecrypt) should automatically be decrypted after startup. If this would work together with e.g. the snapraid plugin this would be great.
    Does anyone know the current status? Is what I want possible? I only found this alternative to using truecrypt to encrypt the system drive: http://wiki.openmediavault.org…f_boot_disk_to_store_data
    However I couldnt find any solutions for the data drives.


    I hope you guys can help me. =)

  • It is possible; I do it. But it calls for all-manual setup.
    Basically, what I did is create a RAID array, then encrypt the entire md (i.e. the RAID block device) using LUKS, rather similar to what's described in the wiki page you quoted, and then create a filesystem on /dev/mapper/mdxxx . If you then put this into /etc/crypttab, you can either type the key manually during boot (what you asked for), or point the crypttab entry to a key location, which will make it auto-mount (and a bit less secure, at least for some attack vectors).
    From that point on, OMV will detect the filesystem(s) and you can use it as usual, add shares and do whatever.


    If you're interested, I can describe this in more details. It is quite straightforward, but it's a completely manual process.

  • Hi. I'm also interested in encryption. I read the wiki page, but if I am not mistaken, that page is giving instructions to encrypt the OMV disk as well? I have no real inclination to do that. I just want to encrypt the disks holding my data. Can I just setup OMV as normal, then add my data disks and encrypt them?


    All I want to use OMV for is to manage my storage layer for my database servers, and some of the databases need to be encrypted. I'll just be setting up two large RAID 10 sets and using iSCSI to connect from the db server. Do I really need to mess with the install media etc? I have no problem creating the RAID sets by hand etc

  • You two are asking two different things?!


    @zelda: You say you don't care about the program used for encryption. And wiki page step 3 describes how to encrypt your data drives. So what are you missing / is your question?


    miles: Maybe open your own post? It shouldn't be a problem to just encrypt your data drives and semi-manually mount them during boot. Maybe omv complains about missing drives till they are mounted completely..



    Wk

  • It is possible; I do it. But it calls for all-manual setup.
    Basically, what I did is create a RAID array, then encrypt the entire md (i.e. the RAID block device) using LUKS, rather similar to what's described in the <a href="http://wiki.openmediavault.org/index.php?title=Encrypted_OMV_installation_with_aes-xts-plain64_cipher,_random_key_for_swap_and_exposing_the_rest_of_boot_disk_to_store_data" class="externalURL" rel="nofollow" target="_blank">wiki page you quoted</a>, and then create…


    @doron
    I managed to setup an encrypted installation (root and swap encrypted) using the wiki article.
    I would be very much interested in setting up an encrypted RAID6 now, can you please post the steps (cmds) to be taken here ?


    Thank you in advance!

  • *** EDITED *** to correct a couple of glaring errors - thanks @raisOr for providing feedback!! ***



    @doron
    I managed to setup an encrypted installation (root and swap encrypted) using the wiki article.
    I would be very much interested in setting up an encrypted RAID6 now, can you please post the steps (cmds) to be taken here ?


    Sure. Basically, what you need to do is create the RAID array structure you want, and then, before creating a filesystem on it, do the LUKS. Then you go on building a filesystem over the dm-crypt layer. OMV is smart enough to detect it, so that all the higher level tools (File Systems, Shared Folders etc.) will be automagically available.


    Special care should be given to the location of the key. The crypto setup happens rather early in the boot sequence; your key needs to be available at that time. Either you type it in (boot sequence stops and prompts you on the primary console, you need it to be available to you), or, if you use a key file, it needs to be available. If it is on the (encrypted?) root fs, that should work (root fs is expected to be mounted at that time, obviously).


    Okay, buckle up (this is essentially similar to what's described in "Step 3" of the wiki article:(


    1. Create the RAID structure you want. Simplest is to use the GUI. Raid Management --> Create, like you always do, but you can use md if you prefer. Note the name of the device created - /dev/mdxxx . Wait for the RAID array to become fully initialized.


    2. Get a root level command prompt. Build an encrypted block device on top of the array. If you plan to type the key (passphrase) during boot, just do:


    cryptsetup -c aes-xts-plain64 -s 512 -h sha512 -y luksFormat /dev/mdxxx


    Alternatively, if you plan to use a key file, first create the key file (can do via e.g. dd if=/dev/urandom of=/path/to/keyfile bs=1024 count=4) and place it where early init process can find it(!). Then, do:


    cryptsetup -c aes-xts-plain64 -s 512 -h sha512 -y luksFormat /dev/mdxxx /path/to/keyfile 


    3. Open the encrypted block device, like so (the name "myraid6" is an example, use your own):


    cryptsetup luksOpen /dev/mdxxx myraid6


    or, if you used a keyfile, use this syntax:


    cryptsetup luksOpen -d /path/to/keyfile /dev/mdxxx myraid6


    This step creates a new block device, /dev/mapper/myraid6 . We will now use this device for upper-layer actions.


    4. Now we need to create a file system. We can simply do e.g.:


    mkfs.ext4 -m 0 /dev/mapper/myraid6


    Or, we can go back to the OMV GUI, go to File Systems, and select "Create", making sure we are building the file system on /dev/mapper/myraid6 (and not on /dev/mdxxx).


    5. Last thing we need to do is add a line to /etc/crypttab, so that the device is opened upon boot. Best is to use the device's UUID (which remains constant in the face of hardware or OS version changes). Find out the UUID by:


    blkid | grep /dev/mdxxx


    and copy the UUID into a line you add into /etc/crypttab which, if you want to be prompted for a password, will look something like this:


    myraid6 UUID=b90f8cce-a777-4915-a871-3cbc4f87c34a none luks


    or if you used a key file, like this:


    myraid6 UUID=b90f8cce-a777-4915-a871-3cbc4f87c34a /path/to/keyfile luks


    That's all there's to it. Now you should be able to use your new filesystem from the GUI, create shared folders, share over NFS/CIFS/AFS or whatever you want to do with OMV.


    I hope I haven't missed anything, please report success or failure...

  • @doron thanks for the great how-to!!!


    I managed to create an encrypted RAID using your guide.


    I also enabled a dropbear server during early boot to unlock the encrypted /root remotely via ssh.


    I used this guide (it's in german) for it.


    Kind regards,
    raisOr

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!