LUKS disk encryption plugin

  • I just did a quick test of this in a VM, and it looks like the LUKS plugin is currently incompatible with the USB backup plugin, no backup is run when the disk is unlocked.
    There is, however, the potential for them to work - I edited the config for the USB backup plugin, and then it successfully ran when I unlocked the encrypted disk. So, yes, this would still interfere with process - you could not automatically backup just by plugging in as the disk would need to be decrypted, but after that step it is possible to have the backup run automatically.


    I have submitted a bug report for this issue here: http://bugtracker.openmediavault.org/view.php?id=1470

  • Hi @igrnt just want to share that I am very happy with this plugin. Over the last week I converted my two 4Tb Reds to LUKS (data drives) and also re-LUKS-ed my external HDD backups. So all the data is on LUKS encrypted devices (except OMV boot disk).


    Made an export of all the headers and put the passwords in KeePass (my password manager). So after a boot, I unlock the data drives and everything is fine. And secure in case of theft (main reason for using your plugin).


    By the way, I use one 1/8 passphrase per HDD, don't think that's less reliable than multiple passphrases, right? (provided that I don't lose them of course). Thanks again for the plugin.


    Ralph

    ASRock H97 Pro4 | 8Gb 1600 | i3 4130T | 3x WD Red 4TB with SnapRAID | Backup to Crashplan & External HDD

  • Great to hear, thanks!


    Only having one passphrase is not necessarily less reliable. I find it useful to have multiple keys when, e.g. using key files, to have a passphrase as a backup/recovery key.

  • May I suggest an UI enhancement for the main view of the plugin. If I have a number of devices, the only reference to them is by /dev/sdx format (1st column). That depends on the physical order of the connected devices to the mb and not on the actual hdd itself.


    Can we have another column with the device's serial number (ie: WD-WCC4E3PVNF54), the same as shown when creating a new device?


    I always pick the wrong passwords from my password manager for the devices when unlocking :)


    Thanks, Ralph

  • Hi,
    I am new to openmediavault (sorry, newbie) and very happy for this plugin.
    Unfortunately I am not able to make it work as I want it to, most likely I am missing something very simple:
    I have two HDDs installed, I cleaned them and afterwards I encrypted both. After that I decrypted them to create a RAID (JBOD), which worked fine. But as soon as I reboot the server and decrypt the drives again, the RAID is gone or not appearing. Since I am not able to create a new RAID with these HDDs I assume that the info is still stored anywhere?
    How do I have to use the plugin that erverything (RAID, Filesystem etc) is still there once the server is restarted?


    Thanks a lot!

  • Yes, encryption on top of raid should work fine and solve your problem, but you should also be able to do raid on top of encryption as you have tried to.
    I suspect it is something to do with detecting raid arrays after unlocking, I will take a look at it (away atm, so not for a bit).

  • Hey guys,


    I am using the Luks plugin on my 8TB disk with OVM 3


    There is an option for a Keyfile which I would like to use to mount the device after boot autmatically (I know the developer is working on it atm to give the user an option)


    Is it possible to make this automatic from the command line or with a script?


    I would store the keyfile on device locally in my lan, which i could access with ftp, ssh or webdav.


    Thanks :)

    OMV 3.x - Plex Media Server - Auto Shutdown - LUKS Disk Encryption


    Intel Core i3 4130 @ 3,4 Ghz, 12GB RAM, 3x WD RED 3TB in RAID5 fully encrypted


  • Look up 'crypttab' - you would put the disk and path to keyfile in here for automatic unlock at boot. That is for the keyfile on a local filesystem, to retrieve it from a connected machine, you would need to do some investigation - I don't know if the network is up by then on the boot sequence. If it is, you can write keyscripts here to fetch the keyfile and pass it to cryptsetup.
    It's unlikely I will implent this kind of thing in the plugin.

  • Zitat von KingB: „Hey guys,


    I am using the Luks plugin on my 8TB disk with OVM 3


    There is an option for a Keyfile which I would like to use to mount the device <b>after</b> boot autmatically (I know the developer is working on it atm to give the user an…


    Thanks for the answer :)


    I tried to implement that kind of unlock system on my ubuntu server...but now i switches to OMV because i have now my odroid c2 for my owncloud with ubuntu.
    But i failed because of the network type.. I want to have that in case things get stolen, so i should not unlock itself as soon as it is out of the network.


    The odroid i hidden well, so no problems with that.


    The Problem was to fetch the key from a different location, i failed with a script...
    I tried to fetch the keyfile and save it, unlock the disk and mount it and then delete the key file...so no unlock if out of network or the device is offline.


    It would be amazing if you are able to implement that :)


    Send me a pm if you need a tester!

    OMV 3.x - Plex Media Server - Auto Shutdown - LUKS Disk Encryption


    Intel Core i3 4130 @ 3,4 Ghz, 12GB RAM, 3x WD RED 3TB in RAID5 fully encrypted

  • I see some requests for an automatic unlock.
    @igrnt would you please not touch the current manual unlocking mechanism? I like it to be manual. The server is seldom rebooted. So my suggestion would be that if you happen to work on an automatic unlock, make it very optional....


    Thanks, Ralph

    ASRock H97 Pro4 | 8Gb 1600 | i3 4130T | 3x WD Red 4TB with SnapRAID | Backup to Crashplan & External HDD

    • Offizieller Beitrag

    I'm sure he would make an automatic unlock optional. To me, automatic unlock is a bad idea unless it is getting the key file from a different box/location. If someone steals the box, they have everything. A box with automatic unlock only protects your info if a drive fails.

    omv 7.0-32 sandworm | 64 bit | 6.5 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.9 | compose 7.0.9 | cputemp 7.0 | mergerfs 7.0.3


    omv-extras.org plugins source code and issue tracker - github


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

  • Yes, of course automatic unlocking at boot with keyfiles will remain optional. I haven't worked on it for a little while, but the goal is to use USB storage, then you could remove the USB stick after booting. It's unlikely I will implement any kind of network key method.

    • Offizieller Beitrag

    Were you planning on using the whole usb stick or just a file on it?

    omv 7.0-32 sandworm | 64 bit | 6.5 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.9 | compose 7.0.9 | cputemp 7.0 | mergerfs 7.0.3


    omv-extras.org plugins source code and issue tracker - github


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

    • Offizieller Beitrag

    Probably wouldn't be that hard to allow a location to be specified (which could be remotely mounted) then. Not a big deal to me since I don't use it on my OMV box (I do at work though).

    omv 7.0-32 sandworm | 64 bit | 6.5 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.9 | compose 7.0.9 | cputemp 7.0 | mergerfs 7.0.3


    omv-extras.org plugins source code and issue tracker - github


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!