LUKS disk encryption plugin

    • OMV 2.x
    • rickyx wrote:

      I don't know what was wrong,
      Hmm. What is the output of: zgrep -iE "xts|aes" /proc/config.gz
      omv 5.0.14 usul | 64 bit | 5.0 proxmox kernel | omvextrasorg 5.1.5
      omv-extras.org plugins source code and issue tracker - github

      Please read this before posting a question and this and this for docker questions.
      Please don't PM for support... Too many PMs!
    • crickyx@helios4:~$ zgrep -iE "xts|aes" /proc/config.gz
      CONFIG_CRYPTO_XTS=y
      CONFIG_CRYPTO_AES=y
      CONFIG_CRYPTO_AES_TI=y
      CONFIG_CRYPTO_AES_ARM=m
      CONFIG_CRYPTO_AES_ARM_BS=m
      CONFIG_CRYPTO_AES_ARM_CE=m
      CONFIG_TEXTSEARCH=y
      CONFIG_TEXTSEARCH_KMP=m
      CONFIG_TEXTSEARCH_BM=m
      CONFIG_TEXTSEARCH_FSM=m
    • The important modules are compiled in (don't need to be loaded). So, this tells me that a reboot shouldn't be needed. Still don't know why a reboot "fixes" it.
      omv 5.0.14 usul | 64 bit | 5.0 proxmox kernel | omvextrasorg 5.1.5
      omv-extras.org plugins source code and issue tracker - github

      Please read this before posting a question and this and this for docker questions.
      Please don't PM for support... Too many PMs!
    • Hi there,

      today I tried to install OMV 4.x with the latest

      openmediavault-luksencryption_3.0.5_all.deb

      The installation log inside the browser says:


      Source Code

      1. Setting up cryptsetup-bin (2:1.7.3-4) ...
      2. Processing triggers for man-db (2.7.6.1-2) ...
      3. Processing triggers for openmediavault (4.1.19-1) ...
      4. >>> *************** Error ***************
      5. Invalid RPC response. Please check the syslog for more information.
      6. <<< *************************************
      7. Restarting engine daemon ...
      8. Setting up cryptsetup (2:1.7.3-4) ...
      I am using Armbian_5.75_Bananapipro_Debian_stretch_next_4.19.20 with a blank setup.

      The syslog does not show anything that might be helpful.

      No HDD shows up when trying to setup encryption via the GUI.

      Of course I could use cryptsetup and luksformat myself, but this is something OMV might not like at all and will not get notified of. To get all properly working inside the GUI would be the best.

      In the past this plugin worked great, but due to the installation error I am stuck at the moment.

      If you are in need of more information I would be glad to help.

      Thanks,
      Oliver
    • Hi, I was going to rise an issue (improvement request) on the LUKS Plugin github, but I guess it's better to first discuss it here.

      Some ARM based boards have hardware encryption acceleration engine, it is the case of the Helios4 board based on the Marvell Armada388 that has CESA engines. However those hardware encryption engines are limited in which cipher they do support. CESA does not accelerate aes-xts-plain64 cipher which is the default cipher for LUKS and actually I don't think there is any SoC out there that can accelerate XTS.

      For user to enjoy hardware encryption acceleration provided by CESA engine they should choose chiper aes-cbc-essiv:sha256 for their disk encryption.

      Could we imagine an advance settings where user can choose the cipher when creating encrypted device on OMV ? Limited to 2 choices :
      - aes-xts-plain64 (default)
      - aes-cbc-essiv:sha256

      I created a dirty patch for people to hard code in your plugin the right cipher in the case of Helios4. I could try to create the feature describe above, but I need to understand how the OMV plugin framework works first :/

      Here a cryptsetup benchmark run on Helios4 and you could see that user can enjoy a significant boost by choosing the right cipher.


      Source Code

      1. # Tests are approximate using memory only (no storage IO).
      2. PBKDF2-sha1 201959 iterations per second for 256-bit key
      3. PBKDF2-sha256 257508 iterations per second for 256-bit key
      4. PBKDF2-sha512 162217 iterations per second for 256-bit key
      5. PBKDF2-ripemd160 175464 iterations per second for 256-bit key
      6. PBKDF2-whirlpool 23523 iterations per second for 256-bit key
      7. # Algorithm | Key | Encryption | Decryption
      8. aes-cbc 128b 101.9 MiB/s 104.9 MiB/s
      9. serpent-cbc 128b 24.6 MiB/s 32.0 MiB/s
      10. twofish-cbc 128b 39.0 MiB/s 44.4 MiB/s
      11. aes-cbc 256b 92.2 MiB/s 94.6 MiB/s
      12. serpent-cbc 256b 25.2 MiB/s 32.0 MiB/s
      13. twofish-cbc 256b 39.7 MiB/s 44.4 MiB/s
      14. aes-xts 256b 62.0 MiB/s 55.7 MiB/s
      15. serpent-xts 256b 29.4 MiB/s 31.9 MiB/s
      16. twofish-xts 256b 43.1 MiB/s 44.4 MiB/s
      17. aes-xts 512b 48.2 MiB/s 41.7 MiB/s
      18. serpent-xts 512b 29.7 MiB/s 31.9 MiB/s
      19. twofish-xts 512b 43.5 MiB/s 44.3 MiB/s
      Display All



      More benchmark here
    • gprovost wrote:

      I need to understand how the OMV plugin framework works first
      The plugin creates the container without any arguments regarding the cipher - github.com/OpenMediaVault-Plug…e/luks/container.inc#L347. It wouldn't be hard to add one.

      gprovost wrote:

      Could we imagine an advance settings where user can choose the cipher when creating encrypted device on OMV ? Limited to 2 choices :
      If I add a list of ciphers, I would add all that are supported but a note could mention other things. Are there any boards that support a different cipher? I don't want to make a change just for the helios.
      omv 5.0.14 usul | 64 bit | 5.0 proxmox kernel | omvextrasorg 5.1.5
      omv-extras.org plugins source code and issue tracker - github

      Please read this before posting a question and this and this for docker questions.
      Please don't PM for support... Too many PMs!
    • ryecoaaron wrote:

      If I add a list of ciphers, I would add all that are supported but a note could mention other things. Are there any boards that support a different cipher? I don't want to make a change just for the helios.
      I don't think you need to bother listing all the supported ciphers because the list would be super long since many possible combination. It's better to limit the choice to the best 2 ciphers which are recommended by most linux distrib, including cryptsetup itself :
      - aes-xts-plain64
      - aes-cbc-essiv:sha256

      I did a bit of research and most ARM SoC have crypto engine
      - Marvell
      - Rockchip
      - AllWinner
      - Amlogic
      - NXP

      The basic features of their encryption and decryption engine are :
      AES 128/192/256 key mode
      ECB/CBC chain mode
      SHA-1, SHA-256, and MD5 hash func


      Actually I found that some last gen ARM SoC familly even support XTS chain mode. But overall I think most ARM SoC would get better performance by using aes-cbc-essiv:sha256 instead of aes-xts-plain64.

      I would recommend however to leave aes-xts-plain64 as the default and let user choose explicitly the other cipher if needed. Up to the board developer to advertise such improvement tweaks ;)
    • I have installed the LUKS encryption plugin. It appears no problem in the left hand menu. When I click on Encryption then Device dropdown, my device (/dev/sda) does not appear. I can mount it from the command line and see it elsewhere in OMV. I did not see any information from github reference nor in this thread as well about how to resolve the issue.

      This is on the Armbian N2 release of Debian 9, Linux 4.9.173.

      This is the only issue with OMV. To my knowledge, everything else works as expected.

      Please advise. Thank you.
    • The process is:
      • install the plugin
      • in storage | encryption
        • add a new drive

        • unlock the drive
      • in storage | filesystem
        • create a filesystem

        • mount the filesystem
      So the drive you want to encrypt must not be mounted. Probably you also have to wipe the drive (all data on the drive will be lost).
      Odroid HC2 - armbian - OMV4.x | Asrock Q1900DC-ITX - Intenso SSD 120GB - OMV4.x
      :!: Backup - Solutions to common problems - OMV setup videos - OMV4 Documentation - user guide :!:
    • Hi,

      I have just tried to create a LUKS-Encrypted device via the plugin but I seem unable to do so.

      I had a hardware RAID-1 drive (/dev/sdb) mounted an in use. I have removed the shared folders, unmounted and deleted the file system.
      At this point he drive /dev/sdb was unused but still showed up under "Disks".

      I then moved to the "Encryption" tab, after installing the LUKS plug-in however this drive was not showing up at all.
      Can someone let me know what I am doing wrong and how I could get the device encrypted, please?

      Thank you.
      HP MicroServer Gen 8
      HP DL360e Gen 8
    • josg wrote:

      Poincare1 wrote:

      My drive is not mounted, but as I posted above, nothing shows up in the device dropdown, no /dev/sda or anything like that....
      I have the same issue. The device dropbox only flashes a bit but remains empty.My OMV is v4.1.23-1 on a PC (linux amd64).

      -- Jos
      +1, I have the same issue
      HP MicroServer Gen 8
      HP DL360e Gen 8
    • First check if the filesystem section lets you format the disk, if it shows there then should show in luks format section since I recall correctly uses the same method to enumerate the candidates.
      if it doesn’t show then it probably has still has signature that prevents showing there maybe a partition signature. Don’t waste to much time, if you really want to encrypt the device just drop down to terminal to format it as luks then it will show in the luks panel.
      New wiki
      chat support at #openmediavault@freenode IRC | Spanish & English | GMT+10
      telegram.me/openmediavault broadcast channel
      openmediavault discord server
    • Hi @subzero79, thanks for the reply.

      Yes, the device shows up in the File System section and I have actually recreated an EXT4 partition after wiping the existing one.
      I wonder if that could be something to do with Primary vs Logical/Extended partitions but, given the existing one was removed I am kind of tempted to exclude this cause.

      Would you have any suggestion on how to format the device as LUKS and then create a partition from terminal, please?
      Shall I try to follow cyberciti.biz/hardware/howto-l…-luks-cryptsetup-command/?

      Thank you!
      HP MicroServer Gen 8
      HP DL360e Gen 8

      The post was edited 1 time, last by kavejo ().