LUKS plugin - how to decrypt volume via SSH (OMV 5.6.x)

thebigborg · 21. Februar 2022

Hi,

I'm not an expert in ubuntu etc systems - is there a way to manually decrypt volume encrypted in webgui panel?

I don't want to sign in to webgui each time server restarts to unlock the volume. I just want to run a script that will ask only for password in the terminal, and the volume will get decrypted.

ryecoaaron · 21. Februar 2022

Zitat von thebigborg

I'm not an expert in ubuntu etc systems

OMV is Debian but I get what you are saying.

Zitat von thebigborg

is there a way to manually decrypt volume encrypted in webgui panel?

Yes. sudo cryptsetup luksOpen /dev/mapper/sda-crypt sda althought you may have to change the last part (sda) to match what you used when set it up.

thebigborg · 22. Februar 2022

Cool, thanks, that worked:

sudo cryptsetup luksOpen /dev/sda sda-crypt

And here I have another problem - this decrypted drive is exposed over the network via samba protocol. But when I unlock drive with the ssh command, I can't connect to it.

Access Rights Management:

And then in SMB/CIFS -> "Shares" tab

It works fine when I unlock the drive with webgui...
I assume there are additional instructions I would need to enter..?

ryecoaaron · 22. Februar 2022

Zitat von thebigborg

I assume there are additional instructions I would need to enter..?

The command I gave you just unlocks the LUKS container. The filesystem that is on that container is not automatically mounted but the plugin does that when unlocking. I don't know how many containers you have but the easiest thing to do would be mount -a. But this would give errors if you have other locked LUKS containers. You could also just mount the filesystem. Hard to say without knowing your setup.

thebigborg · 23. Februar 2022

Right now I'm trying to figure out how to easily unlock access to drives from ssh.
Right now I have 5 HDD attached
1 backup

1 encrypted with luks
3 others unencrypted

I'm planning to have 4 disks encrypted.

The backup disk is divided to two folders, all others are fully exposed. All via smb/cifs protocol.

OMV is runnuing on rasp. pi. All works in the local network at home.

I have a script on each window pc that recconects to the network drives when system starts (due to some windows problems with network drives not connecting automatically). I wanted to extend/add another script that will also bring up encrypted drives (with password prompt if needed).

thebigborg · 23. Februar 2022

I just checked 'mount -a' - seems to work and does not throw any errors if container has not been unlocked.

So I have only one problem - how to decrypt all drives with one password prompt (if all drives were enrypted with the same passphrase).
I assume I should create prompt first to get a password as a variable and then somehow pass it to the cryptsetup command in a noninteractive way

ryecoaaron · 23. Februar 2022

Zitat von thebigborg

I assume I should create prompt first to get a password as a variable and then somehow pass it to the cryptsetup command in a noninteractive wa

That works. There are quite a few ways to only prompt for password once (assuming all containers have the same password). I don't use LUKS at home (and no duplicate passwords across LUKS containers at work) and haven't explored them though.

thebigborg · 23. Februar 2022

I think I got it:

Bash

#!/bin/bash

echo "Unlock encrypted NAS drives"
read -sp 'Password: ' passvar
echo ""
encryptedDrives=("/dev/sda sda-crypt" "/dev/sdb sdb-crypt" "...anotherDrive")

for i in ${!encryptedDrives[@]};
do
  drive=${encryptedDrives[$i]}
  echo -n $passvar | cryptsetup luksOpen $drive;
done

mount -a

Alles anzeigen

LUKS plugin - how to decrypt volume via SSH (OMV 5.6.x)

Jetzt mitmachen!

Tags