The current status of the luks encryption plugin originally created by @igrnt has two main problems when running in omv server:
1) When the system boot, disks are un-decrypted, this generates the fstab entries fail to mount. Dependant services that use that disk to hold data or configuration, and need that path available when starting can or will fail also to start. Docker is one of them
2) There is no crypttab.
I decided to modify the plugin to address this two main issues.
This plugin modification addresses the first issue completely and the second issue partially. The plugin mechanics for the first problem is based on this approach:
https://blog.iwakd.de/headless-luks-decryption-via-ssh
This covers basically creating a new default target that will only starts basic necessary services (ssh). Two additional targets are also created. The first one will decrypt drives, the second one will mount them to finally reach graphical or multi-user.target.
What does the plugin do:
- There is a new tab that hold to panels. Settings panel and crypttab grid panel
- The settings panel will allow you:
1) Enable the before-decrypt.target. This will add to the internal database of omv noauto to all fstab entries and regenerate also fstab. This will also disable all /sharedfolders systemd units. All drives (including non encrypted ones) will no longer be mounted by fstab on boot.
2) Optional: Select a drive (usb flash drive for example) that will hold all the decryption file keys
- Crypttab grid: You can submit an encrypted drive to /etc/crypttab. There you add file name for the decryption key if you want automated decrypt. Is important here to add all the encrypted drives for unlocking. Is not a full crypttab as is not possible to submit all options there.
After a reboot you will be able to log into ssh and run the command omv-luks-start to proceed with decryption and after that it will follow up to start services.
A couple of scenarios for the plugin:
Drives encrypted with passphrase: ssh login, run omv-luks-start, systemd will prompt for all passwords to unlock, mount and activate all remaining services
Drives encrypted with keyfiles in a non-encrypted drive: not necessary to login with ssh, if the drive is present or the the disk is plugged it will trigger the decrypt.target following unlocking, mounting and activation of all remaining services. All drives must have a keyfile assigned.
Drives encrypted with keyfiles in an encrypted disk: ssh login, run omv-luks-start, you will be prompted for the keydisk passphrase the unlocking for the rest of the encrypted disks should be automatically, including mounting and service start. The key disk will be closed
This is not official omv-extras plugin, is published here for people that are interested to test it and have some feedback about it. Once it is probed it works I might consider doing a PR.
The source is here
https://github.com/subzero79/o…cryption/tree/advsettings
You can download it the built package here
Notes:
- There is a lot of problems using LUKS, Zfs and omv4 in conjuction. When enabling before-decrypt.target first make sure the whole system is clean. This means Zfs mounts are correctly mounted, /sharedfolders also, drives decrypted.
- If you decide to go back to the official version, make sure you empty your browser cache after downgrade to clean the visual js elements of the plugins.
Changed 06-03-2017:
- The device mapper name cannot be left empty submitting elements to the crypttab
- Get rid of the spinner script
- Fix clean trap when using keydevice
- The dropdown combo menu from crypttab now selects devices not in the crypttab database