Installation of OMV 4.x LUKS with full disk encryption of the root device, unlockable via SSH
As a personal endeavour I wanted to achieve a full encrypted OMV system.
I had to do the setup several times, as I kept forgetting some trivial steps.
With the write-down I hope to remember and maybe it is of some value to share, as I was not able to find similar on the forums.
The resources found on this topic of course are wide spread but always focussing on some things.
are maintained on github
- OMV installed on 1x 128GB SSD
- 4x 4TB with SnapRaid and mergerfs (via OMV extra plugins)
- i5 Ivy with 16GB for getting started (old PC)
- full disk encryption of every device
- unlock via ssh at boottime
- the approach should work with a system already in use as all data is preserved from the drive
- already running OMV setup
- install and configure OMV to use dropbear initram ssh
- change SSD disk layout to be LUKS encrypted (excluding /boot)
- use key-file within root device to unlock all data drives (decrypt_derived from the manuals is not working with systemd, due to keyscript= being ignored)
- swap encryption
- with an encrypted root device, use OMV to further setup data drives
- the OMV encryption plugin is very handy lateron for i.e. backup of the header, etc. and fully able to manage the devices
Keep in mind
- maybe use livecd coming with OMV and the "boot once" instead of dedicated USB
- pre-up ip adr flush dev $IFACE broke my connection after bootup, but is not necessary
- have a backup key on every luks device
- use timeout in the crypttab during setup (data drives)
- the setup should be easily adaptable and scalable
- using docker ontop of mergerfs lead to various erros running containers
- now the docker files and configs I use are on the SSD and the data drives with mergerfs pure data only
- with the SSD encrypted as well, saving the configs there seems to be reasonable, although a RAID1 would maybe improve availability
- of course this does not by any means makes backups unnecessary
I do hope those learnings are worth sharing.