LUKS disk encryption plugin

  • I guess you could describe aufs as an overlay type thing, but I am not very fluent in any of this stuff, so there may be a better choice.


    And yes, I agree that 'mount -a' would have the unintended side effects you describe.


    Also, I find that I must manually umount that aufs mount point before the disk can be locked. This is becasue I added all those aufs mount points into /etc/fstab by hand. I am not sure if OMV could have been used to do that. They are below from my fstab, maybe someone can elaborate on how OMV might be able to create them - but I suspect the Union Filesystems plugin lacks that kind of granularity for my use case. /home/sftp is a chroot folder.


    # >>> [sftp]
    none /home/sftp/outgoing/movies aufs br:/media/41991950-4d12-4475-86b8-ba54ec09323b/multimedia-content-d1/movies 0 0
    none /home/sftp/outgoing/music aufs br:/media/41991950-4d12-4475-86b8-ba54ec09323b/multimedia-content-d1/music 0 0
    none /home/sftp/outgoing/tv-series aufs br:/media/41991950-4d12-4475-86b8-ba54ec09323b/multimedia-content-d1/tv-series 0 0
    none /home/sftp/outgoing/test aufs br:/media/2d02dbfc-9995-4ddd-934a-22265ac7f919/multimedia-content-d3/movies 0 0
    # <<< [sftp]

    --
    Google is your friend and Bob's your uncle!


    OMV AMD64 7.x on headless Chenbro NR12000 1U 1x 8m Quad Core E3-1220 3.1GHz 32GB ECC RAM.

    Einmal editiert, zuletzt von gderf ()

  • I'll have to load up the aufs plugin in my Dev OMV and test it out, however two points come to mind:


    1) yes, the plugin prevents you from locking disks that are in use, e.g. have mounted filesystems. Even if you could press that button for a mounted device though, it wouldn't work as the system/kernel itself would complain that the encrypted device was in use. So, yes, you have to unmount filesystems before you can lock (and in turn, OMV may make you remove shared folders etc, before you can unmount).


    2) I don't think you need aufs for your use case. You don't appear to be making a union of multiple filesystems, it looks like you're just doing an additional mount of the fs inside the chroot so that ftp users can access it. You don't need aufs for this, you may be able to do it with symlinks (tho they might not work in the chroot), or a bind mount, or maybe even just another normal mount.

  • Well, I didn't show all of the aufs mountpoints. I need to mount multiple folders on multiple drives to a single mountpoint. Here is the full one I should have posted, all on one line, but split here:


    none /home/sftp/outgoing/movies aufs br:/media/41991950-4d12-4475-86b8-ba54ec09323b/multimedia-content-d1/movies:/media/a6e6252d-5a8f-4e9b-88b3-46bef35b01a0/multimedia-content-d2/movies 0 0


    The above mounts two folders on two separate drives to a single folder. This will grow over time as I add drives.

    --
    Google is your friend and Bob's your uncle!


    OMV AMD64 7.x on headless Chenbro NR12000 1U 1x 8m Quad Core E3-1220 3.1GHz 32GB ECC RAM.

  • Ah, yes, that does need aufs then.
    I also don't think aufs is going to work in the OMV like a normal filesystem then.


    Does the aufs fs fail to mount if the devices aren't unlocked? Or does it mount but is empty? In which case, perhaps the udba=reval or udba=notify mount options might help? So that when the underlying branches are unlocked, the data appears in the union. You might be able to do this with symlinks too, using them as the bridges in the aufs union so that it will mount (but be empty) when the devices are locked.
    Anyway, this is getting more into aufs than LUKS!

  • Obviously I am misusing aufs, except in the one case (so far) where I really do need it. But that need will grow over time as I add disks, and I am doing that now - I just want to move to encrypted disks as I add them.


    The folder where the encrypted disk is mounted to is empty until the disk is unlocked, mounted, and since I hung it off an aufs mountpoint, 'mount -a' was run. Obviously a major kludge :) But eventually I would hang that disk off the same aufs mountpoint that the other two are on now - once I am sure LUKS is for me.


    I'll look into your suggestions about udba=reval or udba=notify mount options. And I'll discontinue aufs conversations here :)


    One thing I just noticed is that when I unlock that disk, it no longer automounts. Or was I imagining that it did earlier? I rebooted and tried again, but it still shows as unmounted in the File Systems panel after unlocking. I can try deleting the disk and recreating it as there is nothing but unimportant test data init anyway.


    Could you consider another suggestion? When I am done typing the passphrase in to unlock a disk, it would be helpful if hitting the 'Enter' key with the cursor at the end of the passphrase could do the same thing as pressing the Unlock button with the mouse.


    Thanks again for your time, and the plugin!

    --
    Google is your friend and Bob's your uncle!


    OMV AMD64 7.x on headless Chenbro NR12000 1U 1x 8m Quad Core E3-1220 3.1GHz 32GB ECC RAM.

  • Start another aufs thread, happy to help if I can.


    It should automount if it was previously mounted in the Filesystems panel, however, if you use the Filesystems panel to unmount it, that also removes it from the config and fstab, so automounting won't work. Test by unmounting from the console or rebooting, not by clicking unmount in the WebGUI.


    Yes, I couldn't figure out how to make return work like clicking the button - it annoys me too! But the OMV login window does it, so I must be able to do it somehow, there must be something I am missing.

  • I hope this is the right place to report potential bugs. If not, let me know and move the post accordingly.


    I have added additional passphrases to a disk and I am trying to use the Keys | Test function. It tells me this for every passphrase I test. All the passphrases will actually unlock the disk:


    Error: The passphrase did not unlock any key slot on the device


    Show Details gives:


    Error #6000:
    exception 'OMVException' with message 'The passphrase did not unlock any key slot on the device' in /usr/share/openmediavault/engined/rpc/luks.inc:652
    Stack trace:
    #0 [internal function]: OMVRpcServiceLuksMgmt->testContainerPassphrase(Array, Array)
    #1 /usr/share/php/openmediavault/rpcservice.inc(125): call_user_func_array(Array, Array)
    #2 /usr/share/php/openmediavault/rpc.inc(79): OMVRpcServiceAbstract->callMethod('testContainerPa...', Array, Array)
    #3 /usr/sbin/omv-engined(500): OMVRpc::exec('LuksMgmt', 'testContainerPa...', Array, Array, 1)
    #4 {main}

    --
    Google is your friend and Bob's your uncle!


    OMV AMD64 7.x on headless Chenbro NR12000 1U 1x 8m Quad Core E3-1220 3.1GHz 32GB ECC RAM.

    Einmal editiert, zuletzt von gderf ()

  • Totally the right place for bugs and just what I want to hear (well, other than it working perfectly of course!).
    That does sound strange. Can you supply some more info: What version of the plugin? What version of cryptsetup (if poss)? And does the passphrase unlock from both the WebGUI and command line (with cryptsetup)?

  • Plugin version: openmediavault-luksencryption_1.3.2_all.deb
    Cryptsetup version: 2:1.4.3-4


    All the passphrases will unlock the disk from the WebGUI. I didn't try from the commandline - can you provide the syntax? I tried the man page but was overwhelmed!

    --
    Google is your friend and Bob's your uncle!


    OMV AMD64 7.x on headless Chenbro NR12000 1U 1x 8m Quad Core E3-1220 3.1GHz 32GB ECC RAM.

  • That command throws an unknown option error:


    root@omv:~# cryptsetup -v --test-passphrase /dev/sdd


    Usage: cryptsetup [-?vyrq] [-?|--help] [--usage] [--version] [-v|--verbose] [--debug] [-c|--cipher=STRING] [-h|--hash=STRING] [-y|--verify-passphrase] [-d|--key-file=STRING]
    [--master-key-file=STRING] [--dump-master-key] [-s|--key-size=BITS] [-l|--keyfile-size=bytes] [--keyfile-offset=bytes] [--new-keyfile-size=bytes]
    [--new-keyfile-offset=bytes] [-S|--key-slot=INT] [-b|--size=SECTORS] [-o|--offset=SECTORS] [-p|--skip=SECTORS] [-r|--readonly] [-i|--iter-time=msecs] [-q|--batch-mode]
    [-t|--timeout=secs] [-T|--tries=INT] [--align-payload=SECTORS] [--header-backup-file=STRING] [--use-random] [--use-urandom] [--shared] [--uuid=STRING]
    [--allow-discards] [--header=STRING] [OPTION...] <action> <action-specific>]
    --test-passphrase: unknown option


    root@omv:~#

    --
    Google is your friend and Bob's your uncle!


    OMV AMD64 7.x on headless Chenbro NR12000 1U 1x 8m Quad Core E3-1220 3.1GHz 32GB ECC RAM.

  • Yes, this is my fault for not testing properly - --test-passphrase was apparently not added to cryptsetup until v1.5.0 (and I was using v1.6.something from backports). I am adding a workaround for cryptsetup 1.4.3 in the next version and will push it out shortly.

  • I am running the backports kernel here, should I try to track down and install a later cryptsetup anyway?


    apt-cache policy cryptsetup mentions 1.6.4-4~bpo70+1


    Also, don't forget to change that control file to allow install on OMV 2.1.18 ;)


    Thanks for your time.

    --
    Google is your friend and Bob's your uncle!


    OMV AMD64 7.x on headless Chenbro NR12000 1U 1x 8m Quad Core E3-1220 3.1GHz 32GB ECC RAM.

  • Installed/upgraded from backports, test now works from the GUI, consider it solved. Thanks!


    Edit:


    But fails (differently now) from the commandline:


    root@omv:~# cryptsetup -v --test-passphrase /dev/sdd
    Usage: cryptsetup [-?vyrq] [-?|--help] [--usage] [--version] [-v|--verbose] [--debug] [-c|--cipher=STRING] [-h|--hash=STRING] [-y|--verify-passphrase] [-d|--key-file=STRING]
    [--master-key-file=STRING] [--dump-master-key] [-s|--key-size=BITS] [-l|--keyfile-size=bytes] [--keyfile-offset=bytes] [--new-keyfile-size=bytes]
    [--new-keyfile-offset=bytes] [-S|--key-slot=INT] [-b|--size=SECTORS] [-o|--offset=SECTORS] [-p|--skip=SECTORS] [-r|--readonly] [-i|--iter-time=msecs] [-q|--batch-mode]
    [-t|--timeout=secs] [-T|--tries=INT] [--align-payload=SECTORS] [--header-backup-file=STRING] [--use-random] [--use-urandom] [--shared] [--uuid=STRING]
    [--allow-discards] [--header=STRING] [--test-passphrase] [--tcrypt-hidden] [--tcrypt-system] [--tcrypt-backup] [-M|--type=STRING] [--force-password]
    [OPTION...] <action> <action-specific>
    cryptsetup: Unknown action.


    Edit 2:


    This works (added open action keyword)


    root@omv:~# cryptsetup -v open --test-passphrase /dev/sdd
    Enter passphrase for /dev/sdd:
    Key slot 1 unlocked.
    Command successful.
    root@omv:~#

    --
    Google is your friend and Bob's your uncle!


    OMV AMD64 7.x on headless Chenbro NR12000 1U 1x 8m Quad Core E3-1220 3.1GHz 32GB ECC RAM.

    Einmal editiert, zuletzt von gderf ()

  • Grabbed the upgrade, but was already fixed with the backported cryptsetup stuff. Thanks.

    --
    Google is your friend and Bob's your uncle!


    OMV AMD64 7.x on headless Chenbro NR12000 1U 1x 8m Quad Core E3-1220 3.1GHz 32GB ECC RAM.

  • v1.4.0 is now available. Changes:

    • Add submit on enter key and focus initial field functionality to most window forms.
    • Open device read only when testing passphrase with cryptsetup <1.5.0.
    • Fix for auto-mounting with multi-device BTRFS filesystems - wait until all devices are available.
    • Updated locales.
  • v1.4.0 is now available. Changes:

    • Add submit on enter key and focus initial field functionality to most window forms


    Expected behavior:


    Cursor placed in passphrase box when clicking on Unlock, etc.
    With cursor beyond last typed passphrase character, pressing Enter key acts like pressing Unlock button.


    Neither part of this seems to work for me. What am I missing?

    --
    Google is your friend and Bob's your uncle!


    OMV AMD64 7.x on headless Chenbro NR12000 1U 1x 8m Quad Core E3-1220 3.1GHz 32GB ECC RAM.


  • Expected behavior:


    Cursor placed in passphrase box when clicking on Unlock, etc.
    With cursor beyond last typed passphrase character, pressing Enter key acts like pressing Unlock button.


    Neither part of this seems to work for me. What am I missing?


    I dunno, just tested it in my clean VM, works for me exactly as you describe. Windows 7, Chrome 46, Firefox 38 - what browser are you using?

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!