LUKS disk encryption plugin

  • Hi,


    All my data drives are ecnrypted using this excellent plugin. My problem is I have to manually restart the NFS service to mount the export after unlocking the drive, otherwise I have nothing in /export, which make sense.


    Is that normal behavior or should the plugin handle that?
    Is there a way to kind of trigger the service restart right afer unlocking the LUKS containers? I'm thinking about a udev rule, or something similar...Do you guys have this problem?


    N.B: I have to do more test, but I think the problem also exist for Union Filesystems plugin (my drives are pooled using mergerfs, and the NFS share is on the mergerfs pool)

  • That is expected behaviour - how different services handle the presence or otherwise of paths at startup varies. Samba seems to work okay, for instance.
    I can look into having the plugin reload NFS though (check: does reloading nfs work, or must it be restarted?)

  • Yes, of course automatic unlocking at boot with keyfiles will remain optional. I haven't worked on it for a little while, but the goal is to use USB storage, then you could remove the USB stick after booting. It's unlikely I will implement any kind of…


    Thank you for working on that :-).


    I understand the USB Stick thing, but my problem ist, that i have for example my plex server running. So i stream media from everywhere and most times i am not at home. If any error occurs or power loss, i can't get my server up and running without vpn or i open a port for ssh to internet.


    Thats why i would like a lokal network solution. I want it in case my server gets stolen, the key is on another device. I think this could be secure way? like wget the key through LAN ftp after boot and unlock the device, mount them and then delete the file. Should be the same security as an usb stick, because my small odroid c2, where the key would be stored on, would be hidden well :-).


    I hope you understand what i mean, because i would really like to have an automated unlock method :)

    OMV 3.x - Plex Media Server - Auto Shutdown - LUKS Disk Encryption


    Intel Core i3 4130 @ 3,4 Ghz, 12GB RAM, 3x WD RED 3TB in RAID5 fully encrypted


  • I understand the USB Stick thing, but my problem ist, that i have for example my plex server running. So i stream media from everywhere and most times i am not at home. If any error occurs or power loss, i can't get my server up and running without vpn or i open a port for ssh to internet.


    Thats why i would like a lokal network solution. I want it in case my server gets stolen, the key is on another device. I think this could be secure way? like wget the key through LAN ftp after boot and unlock the device, mount them and then delete the file. Should be the same security as an usb stick, because my small odroid c2, where the key would be stored on, would be hidden well :-).


    I hope you understand what i mean, because i would really like to have an automated unlock method :)


    I understand what you mean, but since it is not something I would use myself, it is not a priority for me to develop network-based unlocking. I am unlikely to do it, but a) never say never, and b) patches/code to implement this are certainly welcome.

  • That is expected behaviour - how different services handle the presence or otherwise of paths at startup varies. Samba seems to work okay, for instance.
    I can look into having the plugin reload NFS though (check: does reloading nfs work, or must it be restarted?)


    The mergerfs part is ok, no need to do anything. And a simple remount on /export/dir does the trick. No need to restart nfs service.

  • You encrypt unformatted block devices. Guess you already have devices formatted and mounted probably?


    Oh my god, LUKS requires an unformatted drive? That's not very nice :( Guess I didn't know enough about encryption, what a pain this will be. Luckily I have enough space to do this but well, thanks; this was the problem.

  • I just created a RAID 5 ontop of my 3 encrypted 3TB WD Red Drives.


    It all went fine, deleted the disks, encrypted them, created RAID5 Storage Pool ontop of them. The Resync took 10 Hours.


    I just created the Filesystem and it works.


    But then i rebooted, unlocked all 3 disks...but i cant see any Raid in the Raid section and i cant mount the file system :-/. Any help ? Like "search for raid again" commandline stuff or maybe possible with GUI?

    EDIT: mdadm --assemble --scan did the trick, sorry for post

    OMV 3.x - Plex Media Server - Auto Shutdown - LUKS Disk Encryption


    Intel Core i3 4130 @ 3,4 Ghz, 12GB RAM, 3x WD RED 3TB in RAID5 fully encrypted

    Einmal editiert, zuletzt von KingB ()

  • I just finished setting this up on my system, all went without a hitch with 2X3TB Hard Drives (not in raid)


    But now I'm wondering since both drives have the same passphrase, if there's any way I could unlock both at once (i.e. enter the passphrase once rather than twice to make my life easier)?


  • The easiest solution to this is probably to do LUKS-on-RAID, rather than RAID-on-LUKS.

  • I just finished setting this up on my system, all went without a hitch with 2X3TB Hard Drives (not in raid)


    But now I'm wondering since both drives have the same passphrase, if there's any way I could unlock both at once (i.e. enter the passphrase once rather than twice to make my life easier)?


    Not via the Web GUI, I'm afraid. Via the command line you could do this using key files. Unless you reboot your system often, you should only have to unlock infrequently, right?


    As an aside, unless you duplicated the header from one drive to the other, they actually have different encryption keys, despite having the same passphrase.

  • Zitat von rabcor: „<a href="http://forums.openmediavault.org/index.php/User/5611-igrnt/">@igrnt</a> Perhaps a function could be implemented to the plugin to for example select and unlock more than one drive at once, trying the same passphrase for all selected drives?


    Please open an issue for this feature request here: <a href="https://github.com/OpenMediaVault-Plugin-Developers/openmediavault-luksencryption/issues" class="externalURL" rel="nofollow" target="_blank"></a>…


    This would be a nice feature!


    What about Support für Openmediavault 3.0.22? Could you do that? because i cant set it up with 3.0.13 anymore because the other plugins install 3.0.22 somehow. And i need your plugin to unlock the disks of my raid :D


    I hope you can do that sometime :)

    OMV 3.x - Plex Media Server - Auto Shutdown - LUKS Disk Encryption


    Intel Core i3 4130 @ 3,4 Ghz, 12GB RAM, 3x WD RED 3TB in RAID5 fully encrypted

  • What about Support für Openmediavault 3.0.22? Could you do that? because i cant set it up with 3.0.13 anymore because the other plugins install 3.0.22 somehow. And i need your plugin to unlock the disks of my raid


    I hope you can do that sometime


    I plan to update the plugin when OMV 3 reaches beta/feature-stable status, which means currently that it doesn't work with the new datamodels introduced around 3.0.13-15. I haven't had time so far to look at that so I have no idea about it.

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!