LUKS keyfile

1. offizieller Beitrag

    Sorry for my english
    I am upgrading my OMV from version 5 to 6.

    In version 5 I had a disk encrypted with LUKS and used a keyfile to unlock (manually) every time the computer rebooted. (the keyfile was generated using dd if=/dev/urandom of=keyfile bs=1024 count=4)
    The encrypted disk is a for data store only. The system disk (including /boot) is a separated, not encrypted, disk.

    In OMV5 I used the option Storage -> Encryption -> Unlock and there was an option to select the keyfile to decrypt the device. But in OMV6 the Storage -> Encryption -> Unlock doesn't have that option.

    How can now unlock the device using that keyfile?

    Via Shell only. Not sure what command the plugin uses. I use udisksctl unlock … --key-file PATH


    You may ask ryecoaaron to bring the feature back.


    By the way saving your keyfile on an unencrypted system disk does not really make sense.

    I think omv6 does not have a way to choose files from the ui otherwise I bet the option would be there.

    If you got help in the forum and want to give something back to the project click here (omv) or here (scroll down) (plugins) and write up your solution for others.

    • Offizieller Beitrag
    Zitat von HannesJo

    Public keys can be uploaded as file

    Did you think I dropped it because I was being lazy? Small text files are possible but not binary files. That is why there is no debian package upload in the plugins anymore. So, I won't be adding a partial implementation. There is nothing stopping you from adding a keyfile from the command line especially if you are going to auto unlock with it anyway.

    omv 7.0.5-1 sandworm | 64 bit | 6.8 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.13 | compose 7.1.6 | k8s 7.1.0-3 | cputemp 7.0.1 | mergerfs 7.0.4


    omv-extras.org plugins source code and issue tracker - github - changelogs


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

    Zitat von ryecoaaron

    Did you think I dropped it because I was being lazy? Small text files are possible but not binary files. That is why there is no debian package upload in the plugins anymore. So, I won't be adding a partial implementation. There is nothing stopping you from adding a keyfile from the command line especially if you are going to auto unlock with it anyway.


    LOL Whats going on here? ^^^^


    So just to set the record straight. I simply tried to answer the TO in a meaningful way. Then Zoki said maybe the new UI does not allow uploads in general. I simply stated that there are uploads. I don't use the plugin. I don't know what you did or didn't leave out why and actually I don't even care lol. So I don't know what conflicts are going on in your head, but I certainly have nothing to do with it.



    Zitat von ryecoaaron

    There is nothing stopping you from adding a keyfile from the command line


    Absolutely. That is exactly what I do. And I actually told TO how I do it so he can do it the same way. Because it is what he asked for. ?(

    • Offizieller Beitrag

    Sometimes it’s hard to tell the difference between friendly fire and hostile. :)

    • Offizieller Beitrag
    Zitat von HannesJo

    So just to set the record straight. I simply tried to answer the TO in a meaningful way. Then Zoki said maybe the new UI does not allow uploads in general. I simply stated that there are uploads. I don't use the plugin. I don't know what you did or didn't leave out why and actually I don't even care lol. So I don't know what conflicts are going on in your head, but I certainly have nothing to do with it.

    If I didn't port a feature from 5.x to 6.x and you say it is available in core OMV, people start questioning why I didn't. I was just being a smartass (not uncommon for me) when stating my reason for it not being available in 6.x. So, no conflicts. Just trying to get things straight before people start expecting me to add something. Sorry my humor sucks.

    omv 7.0.5-1 sandworm | 64 bit | 6.8 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.13 | compose 7.1.6 | k8s 7.1.0-3 | cputemp 7.0.1 | mergerfs 7.0.4


    omv-extras.org plugins source code and issue tracker - github - changelogs


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

    • Offizieller Beitrag

    Humor is hard on paper. :) And emojis don’t help much.

    System Backup Typo alert: Under the Linux section the command should be sudo umount /dev/sda1 NOT sudo unmount /dev/sda1

    Backup Data Disk to Backup Disk on Same Machine: In a Scheduled Job:rsync -av --delete /srv/dev-disk-by-uuid-f8814ed9-9a5c-4e1c-8830-426968c20ea3/ /srv/dev-disk-by-uuid-e67439d5-00a3-4942-bd5f-b84ab86aa850/ Don't forget trailing slashes, and BE CAREFUL. (HT: Getting Started with OMV5)

    Equipment - Thinkserver TS140, NanoPi M4 (v.1), Odroid XU4 (Using DietPi): PiHole

    Zitat von HannesJo

    Via Shell only. Not sure what command the plugin uses. I use udisksctl unlock … --key-file PATH


    You may ask ryecoaaron to bring the feature back.


    By the way saving your keyfile on an unencrypted system disk does not really make sense.

    Thanks for your answer.
    I agree that storing the key on unencrypted system disk does not make sense. My idea is to "manually" unlock the drive on every server reboot (that doesn't happen often) using the OMV GUI (that way the file isn't stored on the server).

    Zitat von ryecoaaron

    Small text files are possible but not binary files.

    Thanks for the explanation and thanks for your work on the plugin!

    Knowing that there is no possibility to continue using a keyfile, I will use the phassphrase option and everyone is happy... :)

    Welp, just got caught out by this - passphrase wasn't immediately available so was in a bit of a panic trying to figure out how to unlock my drive after an upgrade. The udisks2 command worked to an extent although OMV didn't pick up the unlocked block device (I can imagine why - wrong name for a start).


    I doubt I'm going to manually copy the keyfile and run this command on every reboot, so I'll also have to move to a passphrase which isn't optimal.


    Academically speaking would there be a way to remotely provide a keyfile (not to be stored ofc), unlock the drive and give OMV a prod to pick up the unlocked drive via the CLI of a remote machine?


    EDIT:


    The following seems to do the trick (OMV seems to realise itself when the device is ready):

    Bash
    cat keyfile | ssh omv-server "cryptsetup luksOpen /dev/name name-crypt --key-file -"


    Found at https://serverfault.com/questi…e-over-the-network-when-u

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!

Benutzerkonto erstellen Anmelden