LUKS auto unlock via keyfile from a network device

  • Hi,


    for theft protection I want to lock my data drive with LUKS.
    As my server has a duty cycle of only 1/24 it is only started, when I need access to it.
    Also other persons in my familiy will start the server.
    So I need an auto-unlock function but I don't want to store the keyfile on the server itself.
    This will be some kind of "two-factor-auth".
    The keyfile can reside on my OpenWRT Router where it can be accessed by wget, cifs, ftp or nfs.


    I searched a couple of hours but did'nt find any solution for this common problem. ?(


    Do you have any suggestions?
    Thanks

  • Hi,


    three likes, but unfortunately that does'nt solve the problem.


    Where could I place an "unlock-script"?

    • The network functionalities should be "up"
    • The data-drive should be mounted (this could perhaps also be done manually)
    • The services depending on that drive (smb, MySQL etc.) should not yet be started

    What happens, if the drive is locked when the services are started?
    Will they recover, when the drive is unlocked later?


    Any help appreciated
    Thanks

  • Hi Enra...
    This is the solution I adopted for solve the problem you ask in your first post.
    I'm not shure this can be a solution for you, but it can be a good starting point.


    Please note that there are several security problems and who use it should understand the limits of the solution.


    If someone would improve the script or the overall solution... he's welcome!


    Thankyou
    TheFax

  • Hi Fax,


    in the meantime I came to a similar solution.
    But I must admit that your script is much more sophisticated than mine. :thumbup:


    Two notes:


    A)
    As my Lede router redirects to https, I use this wget-command to pull and store the keyfile as /run/keyfile:
    wget --no-check-certificate -P /run -t 10 192.168.1.1/keyfile


    B)
    My init-script uses
    # Required-Start: $network


    For the services depending on the data-disc like MySQL I had an
    # Required-Start: $luks-unlock

    in the /etc/init.d/mysql script.


    But that was not sufficient. MySQL did not come up cause the disc was not yet ready.
    I tried several start-points but I did not find the right runorder.
    So I "reload" these services in /etc/rc.local with 10s delay:


    sleep 10
    /etc/init.d/mysql start


    Thanks for your work.

  • Thanks for the script, works perfectly. :thumbup:

    Anyhow, the file systems are still not mounted after a reboot, probably because the scheduled task runs after the system tried to mount the decrypted LUKS file systems.

    I added a simple "mount -a" at the end of the script, which mounts all file systems entered by omv to the fstab. The file system must only be mounted once manually to let omv enter it to the fstab.

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!