LUKS disk encryption plugin

  • Hello everyone. I'm having some issues with LUKS plugin in OMV 7 on a Raspberry Pi Zero 2 W.


    This device only has 512 MB of RAM and that prevented opening a LUKS disk neither via OMV web plugin (I would get 504 - Gateway Time-out) nor via command line as the system would halt because of low memory due to using a Argon2i key.


    I was able to solve this issue, according to this SO answer, by adding from another computer, a PBKDF2 key which doesn't use extra memory and now I'm able to unlock the disk using the command line in the RaspberryPi with the S1 switch:


    cryptsetup luksOpen -S 1 /dev/sda name 


    Unfortunately when using the OMV web plugin, it's still not possible to open the disk. I suspect that the plugin is trying to open the disk using the Argon2i key on slot 0 instead of the PBKDF2 on slot 1, and by doing that, it will exhaust all the memory until I'm forced to reboot. Using the command line all is well.

    • Official Post

    Unfortunately when using the OMV web plugin, it's still not possible to open the disk. I suspect that the plugin is trying to open the disk using the Argon2i key on slot 0 instead of the PBKDF2 on slot 1, and by doing that, it will exhaust all the memory until I'm forced to reboot. Using the command line all is well.

    LUKS will open the slot that matches the passphrase you supply. If slot 0 and slot 1 have the same passphrase, then it will most likely open slot 0. You should use different passphrases for different slots anyway. You will still likely have problems since your rpi2w has less ram than required for OMV.

    omv 7.4.14-1 sandworm | 64 bit | 6.11 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.15 | compose 7.2.16 | k8s 7.3.1-1 | cputemp 7.0.2 | mergerfs 7.0.5 | scripts 7.0.9


    omv-extras.org plugins source code and issue tracker - github - changelogs


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

  • Thank you for replying. Indeed I'm living on the edge with the Rpizero2w as it's below OMV minimum requirements. For example, photoprism on podman is so slow that's impossible to use. However for the bare minimum (smb shares, ssh) it's actually very stable.

    LUKS will open the slot that matches the passphrase you supply. If slot 0 and slot 1 have the same passphrase, then it will most likely open slot 0. You should use different passphrases for different slots anyway. You will still likely have problems since your rpi2w has less ram than required for OMV.

    Unfortunately both slots have indeed different passphares so I suspect OMV is trying the wrong passphrase on slot 0 that, due to low memory, cannot detect that it has failed to open the disk and will continue until all memory is exhausted. Since this LUKS disk is for cold backup storage, I only use it seldomly so for me this is not an issue as I can open via the command line.


    Thank you for the help and support, this community is great tbh.

    • Official Post

    Unfortunately both slots have indeed different passphares so I suspect OMV is trying the wrong passphrase on slot 0 that, due to low memory, cannot detect that it has failed to open the disk and will continue until all memory is exhausted. Since this LUKS disk is for cold backup storage, I only use it seldomly so for me this is not an issue as I can open via the command line.

    OMV/the plugin isn't trying a slot. It is just trying to open the LUKS container with the luksOpen command and the passphrase. It is not specifying a slot to use. cryptsetup will try the passphrase on each slot until if finds one that is correct. If the exhausts all of your ram, that seems like a cryptsetup issue. You could try changing your slot order. Just create a third slot with a new passphrase, delete the first slot, and recreate the first slot.

    omv 7.4.14-1 sandworm | 64 bit | 6.11 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.15 | compose 7.2.16 | k8s 7.3.1-1 | cputemp 7.0.2 | mergerfs 7.0.5 | scripts 7.0.9


    omv-extras.org plugins source code and issue tracker - github - changelogs


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

  • You are indeed correct. Trying to mount the disk on the command-line without specifying the slot will fill all the available memory until it freezes the system. The most funny thing is that cryptsetup will even tell you about it but proceeds anyway:


    Quote

    sudo cryptsetup luksOpen /dev/sda name

    Enter passphrase for /dev/sda:

    Warning: keyslot operation could fail as it requires more than available memory.


    The solution is indeed to recreate the PBKDF2 key on the first slot of the disk.


    Thank you rye for your help, much appreciated!

  • Hi,


    just for the sake of interest i was playing around a little bit with LUKS plugin. But I was not able to finalize the process. What I did


    1. Installed the Plugin

    2. Wiped /dev/sda and /dev/sdb

    3. created 2 new encryptions for sda and sdb.

    4. Unlocked both

    5. created a new File system for both. SDA was called "LUKS encrypted container on /dev/sda" while SDB was called "Device Mapper sdb-crypt"


    What does that mean? Why are they in a different status? Can I format both of them with ext4-filesystem?

  • Hi,


    What I wrote down (to remember):

    Code
    sudo cryptsetup luksOpen /dev/yourdisk my_encrypted_volume
    sudo mkdir tmp
    sudo mount /dev/mapper/my_encrypted_volume tmp

    So the solution is to use cryptsetup tools but you need the password of the encrypted drive.

    • New
    • Official Post

    Why not use the plugin to decrypt?

    omv 7.4.14-1 sandworm | 64 bit | 6.11 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.15 | compose 7.2.16 | k8s 7.3.1-1 | cputemp 7.0.2 | mergerfs 7.0.5 | scripts 7.0.9


    omv-extras.org plugins source code and issue tracker - github - changelogs


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

    • New
    • Official Post

    I meant to permanently remove the encryption from the drive without wiping it

    sudo cryptsetup reencrypt --decrypt /dev/sdX

    omv 7.4.14-1 sandworm | 64 bit | 6.11 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.15 | compose 7.2.16 | k8s 7.3.1-1 | cputemp 7.0.2 | mergerfs 7.0.5 | scripts 7.0.9


    omv-extras.org plugins source code and issue tracker - github - changelogs


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!