LUKS + KeyFile + AutoMount? [SOLVED]

  • Hi subzero79,

    Have you been able to implement the instructions from


    https://blog.iwakd.de/headless-luks-decryption-via-ssh


    in omv 5?


    In the decrypt.target file, I am having problems with the line:

    Code
    Requires=systemd-cryptsetup@crypto.service srv.mount start-full-system.service


    The system does not seem to create a systemd-cryptsetup@crypto.service and I can figure what to replace srv.mount with.


    Also when I runt the command


    Code
    # systemctl status systemd-cryptsetup@crypto.service


    I get:

    Code
    Unit systemd-cryptsetup@crypto.service could not be found.

    It's like omv5 does not read the crypttab.



    I am stuck. Any direction would be appreciated.

  • I followed your instructions on the git page.

    When I went to add a device that was unlocked I go the following error in a GUI popup window:


    Any ideas?


    BTW if this works, do you think the early ssh method mentioned in the original like would work?

  • No, it won’t work.

    The plugin fork did a lot of changes internally.

    The old ssh method relied a lot on systemd. How it was mechanized is documented in a blog post which was mentioned in the fork. You can follow that post and organize the units manually. Or you can use the other ssh method which uses drop bear at initramfs.


    I do not use it since I have omv as virtual machine so I can automate unlock something like `ssh pve qm terminal $vmid`


    I have to check the plugin error, look like is missing the db section entry, that should be added at install of the plugin.

  • Thanks subzero79 for mentioning the drop bear method. I think it works perfectly.


    For any one else that would like to unlock LUKS partitions remotely by ssh using dropbear at boot up here is what I did.

    * My setup is as such: OMV 5, LUKS+UnionFS+SnapRaid which I setup using https://michaelxander.com/diy-nas/. Becarefull not to reboot here if you are using unionfs becuase the system will panic and drop you to rescue mode because the LUKS drives have not been encrypted. (post 247546)

    * I updated my /etc/crypttab to look like this

    Code: /etc/crypttab
    # <target name> <source device> <key file> <options>
    sdb-crypt /dev/sdb none luks,initramfs
    sdc-crypt /dev/sdc none luks,initramfs
    sdd-crypt /dev/sdd none luks,initramfs

    Just by doing this at the next reboot the system will ask you for the pass phrase for each disk. This is nice in itself.


    Setting up Dropbear

    * I guided by the the instructions on on how to setup Dropbear at https://www.arminpech.de/2019/12/23/debian-unlock-luks-root-partition-remotely-by-ssh-using-dropbear/ I did this:

    ** apt-get install dropbear-initramfs

    ** I copied my public key from by putty client to /etc/dropbear-initramfs/authorized_keys You have to do this because Dropbear has disabled password based logins.

    ** Changed the DROPBEAR_OPTIONS line in /etc/dropbear-initramfs/config

    Code: /etc/dropbear-initramfs/config
    DROPBEAR_OPTIONS="-p 2222"

    ** Ran update-initramfs -k all -u


    Results

    When your system reboots it will wait for you to enter the passphrase for each disk. But now you can SSH into the system too.

    I used putty with my private key that is paired with the public key that I added in the step above to port 2222.

    You login as root and are automatically taken to the command prompt.

    Enter bin/cryptroot-unlock and respond the passphrases for each disk.

    Afterwards you will be logged out and the boot process will proceed as normal.



    #OMV5.x









Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!