LUKS disk encryption plugin

  • crickyx@helios4:~$ zgrep -iE "xts|aes" /proc/config.gz
    CONFIG_CRYPTO_XTS=y
    CONFIG_CRYPTO_AES=y
    CONFIG_CRYPTO_AES_TI=y
    CONFIG_CRYPTO_AES_ARM=m
    CONFIG_CRYPTO_AES_ARM_BS=m
    CONFIG_CRYPTO_AES_ARM_CE=m
    CONFIG_TEXTSEARCH=y
    CONFIG_TEXTSEARCH_KMP=m
    CONFIG_TEXTSEARCH_BM=m
    CONFIG_TEXTSEARCH_FSM=m

  • The important modules are compiled in (don't need to be loaded). So, this tells me that a reboot shouldn't be needed. Still don't know why a reboot "fixes" it.

    omv 5.5.0 usul | 64 bit | 5.4 proxmox kernel | omvextrasorg 5.3.3
    omv-extras.org plugins source code and issue tracker - github


    Please read this before posting a question.
    Please don't PM for support... Too many PMs!

  • Hi there,


    today I tried to install OMV 4.x with the latest


    openmediavault-luksencryption_3.0.5_all.deb


    The installation log inside the browser says:



    Code
    Setting up cryptsetup-bin (2:1.7.3-4) ...
    Processing triggers for man-db (2.7.6.1-2) ...
    Processing triggers for openmediavault (4.1.19-1) ...
    >>> *************** Error ***************
    Invalid RPC response. Please check the syslog for more information.
    <<< *************************************
    Restarting engine daemon ...
    Setting up cryptsetup (2:1.7.3-4) ...

    I am using Armbian_5.75_Bananapipro_Debian_stretch_next_4.19.20 with a blank setup.


    The syslog does not show anything that might be helpful.


    No HDD shows up when trying to setup encryption via the GUI.


    Of course I could use cryptsetup and luksformat myself, but this is something OMV might not like at all and will not get notified of. To get all properly working inside the GUI would be the best.


    In the past this plugin worked great, but due to the installation error I am stuck at the moment.


    If you are in need of more information I would be glad to help.


    Thanks,
    Oliver

  • I am a absolutely Tech noob, so pls excuse my dumb question.
    My Qestion is:
    How can i lock the hdd, after formating and mounting it ? I know that, when i unmount it, i can lock it again. But it is the only way ?


    I would be thankful for your help .

  • Hi, I was going to rise an issue (improvement request) on the LUKS Plugin github, but I guess it's better to first discuss it here.


    Some ARM based boards have hardware encryption acceleration engine, it is the case of the Helios4 board based on the Marvell Armada388 that has CESA engines. However those hardware encryption engines are limited in which cipher they do support. CESA does not accelerate aes-xts-plain64 cipher which is the default cipher for LUKS and actually I don't think there is any SoC out there that can accelerate XTS.


    For user to enjoy hardware encryption acceleration provided by CESA engine they should choose chiper aes-cbc-essiv:sha256 for their disk encryption.


    Could we imagine an advance settings where user can choose the cipher when creating encrypted device on OMV ? Limited to 2 choices :
    - aes-xts-plain64 (default)
    - aes-cbc-essiv:sha256


    I created a dirty patch for people to hard code in your plugin the right cipher in the case of Helios4. I could try to create the feature describe above, but I need to understand how the OMV plugin framework works first :/


    Here a cryptsetup benchmark run on Helios4 and you could see that user can enjoy a significant boost by choosing the right cipher.





    More benchmark here

  • I need to understand how the OMV plugin framework works first

    The plugin creates the container without any arguments regarding the cipher - https://github.com/OpenMediaVa…e/luks/container.inc#L347. It wouldn't be hard to add one.

    Could we imagine an advance settings where user can choose the cipher when creating encrypted device on OMV ? Limited to 2 choices :

    If I add a list of ciphers, I would add all that are supported but a note could mention other things. Are there any boards that support a different cipher? I don't want to make a change just for the helios.

    omv 5.5.0 usul | 64 bit | 5.4 proxmox kernel | omvextrasorg 5.3.3
    omv-extras.org plugins source code and issue tracker - github


    Please read this before posting a question.
    Please don't PM for support... Too many PMs!

  • If I add a list of ciphers, I would add all that are supported but a note could mention other things. Are there any boards that support a different cipher? I don't want to make a change just for the helios.

    I don't think you need to bother listing all the supported ciphers because the list would be super long since many possible combination. It's better to limit the choice to the best 2 ciphers which are recommended by most linux distrib, including cryptsetup itself :
    - aes-xts-plain64
    - aes-cbc-essiv:sha256


    I did a bit of research and most ARM SoC have crypto engine
    - Marvell
    - Rockchip
    - AllWinner
    - Amlogic
    - NXP


    The basic features of their encryption and decryption engine are :
    AES 128/192/256 key mode
    ECB/CBC chain mode
    SHA-1, SHA-256, and MD5 hash func



    Actually I found that some last gen ARM SoC familly even support XTS chain mode. But overall I think most ARM SoC would get better performance by using aes-cbc-essiv:sha256 instead of aes-xts-plain64.


    I would recommend however to leave aes-xts-plain64 as the default and let user choose explicitly the other cipher if needed. Up to the board developer to advertise such improvement tweaks ;-)

  • I have installed the LUKS encryption plugin. It appears no problem in the left hand menu. When I click on Encryption then Device dropdown, my device (/dev/sda) does not appear. I can mount it from the command line and see it elsewhere in OMV. I did not see any information from github reference nor in this thread as well about how to resolve the issue.


    This is on the Armbian N2 release of Debian 9, Linux 4.9.173.


    This is the only issue with OMV. To my knowledge, everything else works as expected.


    Please advise. Thank you.

  • The process is:

    • install the plugin
    • in storage | encryption

      • add a new drive


      • unlock the drive
    • in storage | filesystem

      • create a filesystem


      • mount the filesystem

    So the drive you want to encrypt must not be mounted. Probably you also have to wipe the drive (all data on the drive will be lost).

  • Hi,


    I have just tried to create a LUKS-Encrypted device via the plugin but I seem unable to do so.


    I had a hardware RAID-1 drive (/dev/sdb) mounted an in use. I have removed the shared folders, unmounted and deleted the file system.
    At this point he drive /dev/sdb was unused but still showed up under "Disks".


    I then moved to the "Encryption" tab, after installing the LUKS plug-in however this drive was not showing up at all.
    Can someone let me know what I am doing wrong and how I could get the device encrypted, please?


    Thank you.

  • First check if the filesystem section lets you format the disk, if it shows there then should show in luks format section since I recall correctly uses the same method to enumerate the candidates.
    if it doesn’t show then it probably has still has signature that prevents showing there maybe a partition signature. Don’t waste to much time, if you really want to encrypt the device just drop down to terminal to format it as luks then it will show in the luks panel.

  • Hi @subzero79, thanks for the reply.


    Yes, the device shows up in the File System section and I have actually recreated an EXT4 partition after wiping the existing one.
    I wonder if that could be something to do with Primary vs Logical/Extended partitions but, given the existing one was removed I am kind of tempted to exclude this cause.


    Would you have any suggestion on how to format the device as LUKS and then create a partition from terminal, please?
    Shall I try to follow https://www.cyberciti.biz/hard…-luks-cryptsetup-command/?


    Thank you!

  • Hi,


    This seems like a really great plugin, but I don't know how to use it at all.
    Is this plugin not available for the Raspberry Pi version of OMW? Because that will explain something..


    The plugin is just nog showing up under the 'OMV-extras' menu in the web gui.


    Thanks for the help.

  • Is this plugin not available for the Raspberry Pi version of OMW?

    You don't mention what version of OMV you are using but on OMV 4.x and 5.x, it is available for all systems.


    The plugin is just nog showing up under the 'OMV-extras' menu in the web gui.

    The plugin would show up in the Plugin tab not omv-extras tab. omv-extras is just enabling the repo with the plugin in it so that all omv-extras plugins show up in the Plugins tab. If it is not there, post the output (cut&paste) of the apt clean button in omv-extras.

    omv 5.5.0 usul | 64 bit | 5.4 proxmox kernel | omvextrasorg 5.3.3
    omv-extras.org plugins source code and issue tracker - github


    Please read this before posting a question.
    Please don't PM for support... Too many PMs!

  • Hi guys.


    Since noone can help a noob but another noob, I do :)


    OMV 4.1.22, slightly wrong sequence:


    1. Install LUKS plugin. If you don't have one in the list of plugins, first install omvextras plugin (manual upload of .deb file and activate the plugin), refresh plugin list and you'll get it expanded.
    2. Go to Disks -> wipe disk (yes, physical device must be pristine - otherwise you won't get it in the list of encryptable devices).
    3. Go to Encryption, select (that wiped disk) and assign passphrase or key file.
    4. Go to File Systems and create one on the same device.
    5. Return back to Encryption -> where to my encrypted disk gone??? I want it back, but no devices are available?


    Of course, creating FS on the same device wipes out everything, including encryption headers.
    Right sequence includes unlocking of newly encrypted device (ryecoaaron mentioned this several times across the thread; this might be looking not so obvious); and then LUKS creates another decrypted device. File system has to be created on that device, not original one (OMV offers correct device reference in the list of available devices for FS creation).


    Right sequence (from step 4)
    4. Unlock just encrypted device (select line in the table and click Unlock button in the header -> reenter passphrase or upload the key). Decrypted device should be populated in Decrypted Device column.
    5. Go to File Systems and create one on the decrypted device. OMV shows correct devices for unlocked ones.
    6. Just out of curiosity - return back to Encryption -> check that all encrypted devices are intact :)


    In my case I have /dev/sdb (this device is encrypted) as disk itself and /dev/mapper/sdb-crypt as decrypted (which actually contains file system).


    Sorry for long input, I made at least three laps until started understanding that monkeyish repetition of wrong sequence does not enhance the outcome. For some reason I was thinking that newly encrypted device is already unlocked (since I did not lock it).

  • Hi


    How to lock a encryptet HDD?


    I have created a encryption device.
    - unlocked it
    - created a filesystem EXT4
    - mount HDD
    - create a shared folder
    - create a SMB share
    Everything works great!


    Whats the best way to lock the device?
    The only way i found:
    - delete the SMB share
    - delete the shared folder
    - unmount the HDD
    and only then i can lock the device...


    Why cant i go to Luks plugin and lock the device directly?

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!