[Plugin test] openmediavault-luksencryption v2

    • Offizieller Beitrag

    The current status of the luks encryption plugin originally created by @igrnt has two main problems when running in omv server:


    1) When the system boot, disks are un-decrypted, this generates the fstab entries fail to mount. Dependant services that use that disk to hold data or configuration, and need that path available when starting can or will fail also to start. Docker is one of them


    2) There is no crypttab.


    I decided to modify the plugin to address this two main issues.
    This plugin modification addresses the first issue completely and the second issue partially. The plugin mechanics for the first problem is based on this approach:


    https://blog.iwakd.de/headless-luks-decryption-via-ssh


    This covers basically creating a new default target that will only starts basic necessary services (ssh). Two additional targets are also created. The first one will decrypt drives, the second one will mount them to finally reach graphical or multi-user.target.


    What does the plugin do:


    - There is a new tab that hold to panels. Settings panel and crypttab grid panel
    - The settings panel will allow you:
    1) Enable the before-decrypt.target. This will add to the internal database of omv noauto to all fstab entries and regenerate also fstab. This will also disable all /sharedfolders systemd units. All drives (including non encrypted ones) will no longer be mounted by fstab on boot.
    2) Optional: Select a drive (usb flash drive for example) that will hold all the decryption file keys
    - Crypttab grid: You can submit an encrypted drive to /etc/crypttab. There you add file name for the decryption key if you want automated decrypt. Is important here to add all the encrypted drives for unlocking. Is not a full crypttab as is not possible to submit all options there.


    After a reboot you will be able to log into ssh and run the command omv-luks-start to proceed with decryption and after that it will follow up to start services.


    A couple of scenarios for the plugin:


    Drives encrypted with passphrase: ssh login, run omv-luks-start, systemd will prompt for all passwords to unlock, mount and activate all remaining services


    Drives encrypted with keyfiles in a non-encrypted drive: not necessary to login with ssh, if the drive is present or the the disk is plugged it will trigger the decrypt.target following unlocking, mounting and activation of all remaining services. All drives must have a keyfile assigned.


    Drives encrypted with keyfiles in an encrypted disk: ssh login, run omv-luks-start, you will be prompted for the keydisk passphrase the unlocking for the rest of the encrypted disks should be automatically, including mounting and service start. The key disk will be closed



    This is not official omv-extras plugin, is published here for people that are interested to test it and have some feedback about it. Once it is probed it works I might consider doing a PR.


    The source is here


    https://github.com/subzero79/o…cryption/tree/advsettings


    You can download it the built package here


    Notes:


    - There is a lot of problems using LUKS, Zfs and omv4 in conjuction. When enabling before-decrypt.target first make sure the whole system is clean. This means Zfs mounts are correctly mounted, /sharedfolders also, drives decrypted.
    - If you decide to go back to the official version, make sure you empty your browser cache after downgrade to clean the visual js elements of the plugins.


    Changed 06-03-2017:
    - The device mapper name cannot be left empty submitting elements to the crypttab
    - Get rid of the spinner script
    - Fix clean trap when using keydevice
    - The dropdown combo menu from crypttab now selects devices not in the crypttab database

  • Hi Subzero,


    thank you so, so much for this great enhancement of the encryption plugin. This was exactly I was looking for the last months. I really like to have my data partitions encrypted and I used the "regular" plugin for this task. But I always had problems after restarting my nas getting all the services, that rely on the decrypted data partition, to work again (especially docker). Normally I needed to perform several service restarts and plugin activating and deactivating.


    With your modifications it now works as it should. After restarting everything is "on hold" until I decrypt the luks paratition with your script.


    I only had few problems that I want to share with you as feedback:
    1. I use a network bond on my NAS. With installing your plugin, the network was not available in the "before-decrypt" stage. I needed to create an dependency for the before-decrypt target that points to "networking.service", to make sure, my bond is online.
    2. When running your script "omv-luks-start" everything works, but I get a warning that a dependency for mount-luks failed. This seems to be comsetic to me, because everything is decrypted
    3. I needed to Implement an delay in the unit-file for the docker service, as it seems that docker started to quickly, before everything was mounted and it was hit and miss whether or not docker was startet correctly. An 5 second delay works good for me.


    Just wanted to let you know how happy I am about your contribution.


    Cheers
    Michael

    • Offizieller Beitrag

    Thanks for the feedback. Network should be available otherwise this mod would be pointless. I’ll try to replicate in a vm with bond. But I assume it worked because networking gets pulled by ssh, shouldn’t make a difference for bond.


    I use this setup in my own server and use docker, but the docker root folder is not encrypted, is yours encrypted ? I would have a to add an extra check for this.


    For the script error, it would help me if you can describe your setup number of disks, size, raid on top, etc. Did you use a key disk? Or you’re prompted for passphrase for each disk?

  • Hi Subzero,


    thanks for your prompt reply. I didn't wanted to make you additional work with my feedback. I think most of my irreguarities come from my "special" setup (Bonding etc.).


    First and foremost I am happy with the Plugin and just wanted to let you know.


    For your questions:
    1. SSH pully network.service on my system, but that doesn't initialize the bond, so I got no IP at this stage. Only networking initializes the interface configured in /etc/network/interfaces
    2. Yes, my docker is on an encrypted root.
    3. I do have 3 Disks with an RAID-5 on top. Each Disk is 8TB in size. At this time about 50% Space is used.
    4. I do not use an disk-key. I am prompted for the passphrase one time for the whole RAID.


    Kind Regards
    Michael

  • I have a problem adding an extra key to an encrypted device fro the web-gui. I select a device, press "keys>add", enter current and new passprhases, "add" and no extra keys appear. The gui reports 1/8 keyslots, just like before. Adding a key from ssh works:



    Would be also nice, if the plugin allowed using the same passphrase for multiple disks out of the box without the need to setup an additional key-disk.

  • Thanks for the feedback. Network should be available otherwise this mod would be pointless. I’ll try to replicate in a vm with bond. But I assume it worked because networking gets pulled by ssh, shouldn’t make a difference for bond.


    I use this setup in my own server and use docker, but the docker root folder is not encrypted, is yours encrypted ? I would have a to add an extra check for this.


    For the script error, it would help me if you can describe your setup number of disks, size, raid on top, etc. Did you use a key disk? Or you’re prompted for passphrase for each disk?

    What are the chances of your enhancements making it into the official plugin? I think auto-unlocking the encrypted volumes is a really important feature, since most other solutions have this implemented as well!

    • Offizieller Beitrag

    What are the chances of your enhancements making it into the official plugin? I think auto-unlocking the encrypted volumes is a really important feature, since most other solutions have this implemented as well!

    Haven’t done anything lately. My opinion? Volker should have this taken into core omv, maybe not my plugin necessarily Luks is standard disk encryption for Linux in kernel and very well supported by systemd.

  • Haven’t done anything lately. My opinion? Volker should have this taken into core omv, maybe not my plugin necessarily Luks is standard disk encryption for Linux in kernel and very well supported by systemd.

    Indeed, that sounds like the better approach. In the meantime, I've done a bit more research and stumbled upon a wonderful approach: udev rules. :thumbup: I just copy the following to /etc/udev/rules.d/15_unlock_luks_with_file and it all works:



    Code
    KERNEL!="sd[a-z]*", GOTO="end"
    ACTION=="add", PROGRAM!="/sbin/blkid -p %N", GOTO="end"
    #
    # Open luks partition if necessary
    PROGRAM=="/sbin/blkid -o value -p -s TYPE %N", RESULT=="crypto_LUKS", ENV{crypto}="mapper/", ENV{device}="/dev/mapper/%k"
    ENV{crypto}!="?*", ENV{device}="%N"
    ACTION=="add", ENV{crypto}=="?*", RUN+="/sbin/cryptsetup luksOpen --key-file=/root/boring.log %N %k"
    ACTION=="add", ENV{crypto}=="?*", TEST!="/dev/mapper/%k", GOTO="end"
    ACTION=="remove", ENV{crypto}=="?*", RUN+="/sbin/cryptsetup luksClose %k"
    LABEL="end"

    The LUKS key is stored in /root/boring.log for obfuscation. :D

  • I hope that somebody will see this...


    I am playing around with OMV since a few days and your PLugin seems to fit my needs. However, there seem to be a few problems.


    I have "activate before crypt target" enabled and now it does not start as wanted.
    [btw, would it be possible to let the Webclient run before mounting?]


    Now when I ssh to the Server and use

    Code
    omv-luks-start


    I get:

    Code
    root@openmediavault:~# omv-luks-start
    /usr/sbin/omv-luks-start: line 37: /root/bash-spinner/spinner.sh: No such file or directory
    Proceeding to unlock drives
    Unlocking of drives ended, attempting to mount disks and encrypted containers
    Mounting linux filesystems from /etc/fstab
    A dependency job for luks-mount.target failed. See 'journalctl -xe' for details.
    Starting multi-user.target
    root@openmediavault:~#

    which means that I don´t get asked for my password and the drives will not be mounted.


    Here is the Output:


    What do I have to do to fix it?



    Then when I want to disable "activate before crypt target", Save it and then try to Apply I get the message:




    Additionally when the drives are not mounted my snapraid pool shows under file Systems with the same total and used as the OS drive. Is this a problem? Would I write now to the OS if I write into the pool?


    Could somebody help me with that?

  • Sorry for the late reply.


    I thought that you are enumerating the drives in Encryption but it seems you are not.
    I have now placed them in Crypttab and it now works, but throws an error.


    I now get this:


    Here is the journalctl, no idea how much you need:


    btw, is /run/systemd/ask-password/ask.fcjrTI a temporary file or supposed to be an fixed one? Because when I look into that folder there is not a single child in it.

    • Offizieller Beitrag

    You need several tools out of my mind should be


    apt-get install debhelper fakeroot git


    Just give it a go with those ones, then


    Bash
    mkdir ~/.src
    cd ~/.src
    git clone https://github.com/subzero79/openmediavault-luksencryption
    cd openmediavault-luksencryption
    git checkout advsettings
    fakeroot debian/rules binary clean


    Should produce a .deb file in the folder above

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!