Is there a script to unlock several LUKS drives at once and restart docker+mergerfs?

VaryingLegwarmer · Oct 4th 2023

I have several luks encrypted drives that I'm not interested in autodecrypting during boot. I'm fine with having to ssh in and run a script that asks for my passphrase once in order to unlock them all (plus also restart docker and mergerfs pool) whenever the machine needs to be restarted for whatever reason, is there a popular script/way to do this? Even if it's not quite what I need I could modify it. Searched the forum a little bit and didn't find anything quite like that. I found this https://github.com/TheFax/Auto…ster/automount_cryptodisk which isn't exactly what I need but I could modify it to fit me if there's nothing better out there. Just don't want to have to bang my head against the wall debugging a script trying to reinvent the wheel.

VaryingLegwarmer · Oct 5th 2023

So I just got chatgpt to do the groundwork for the script and tweaked it afterwards. It works pretty well, had to add mount -a because otherwise omv was erratic in automounting them after decrypting... it left some unmounted while it did mount others but after I added mount -a it seems to be mounting them as expected. Anyways, is there a way to make sure it picks up and mount the drives right after decrypting in an omv "idiomatic" way? Also wanted to stop docker before mounting but had issue starting it afterwards so any suggestion would be appreciated. Below is the script.

Bash

#!/bin/bash

# Check if the script is run as root (necessary for unlocking, managing systemd services, and mergerfs)
if [ "$EUID" -ne 0 ]; then
  echo "Please run this script as root."
  exit 1
fi

# Stop the Docker systemd service
#systemctl stop docker

# Ask the user for the LUKS password
read -s -p "Enter the LUKS password: " luks_password
echo # Add a new line after password input

# List all devices and attempt to unlock LUKS devices
for device in $(lsblk -o NAME | tail -n +2); do
  if cryptsetup isLuks "/dev/$device" 2>/dev/null; then
    luks_name="${device}-crypt"
    echo "Unlocking /dev/$device as $luks_name..."
    echo "$luks_password" | cryptsetup luksOpen "/dev/$device" "$luks_name"
    if [ $? -eq 0 ]; then
      echo "Successfully unlocked /dev/$device as $luks_name."
    else
      echo "Failed to unlock /dev/$device."
    fi
  fi
done

# Restart the monit systemd service
#systemctl restart monit

# Mount all decrypted drives
mount -a

# Restart the mergerfs mount systemd service
systemctl restart srv-mergerfs-poolname.mount

# Start the Docker systemd service again
systemctl restart docker

echo "All LUKS encrypted drives unlocked, mergerfs pool restarted, and Docker service restarted."

Display More

VaryingLegwarmer · Oct 6th 2023

Got one working that is very consistent. Still open to alternatives but this accomplishes the task I set out to do.

Bash

#!/bin/bash
#
# OpenMediaVault (OMV) LUKS Unlock Helper Script
#
# This script automates the process of unlocking each drive and restarting the Docker service
# and the MergerFS pool(s) via the command line. This script assumes that all encrypted drives accept the same 
# passphrase. If your setup involves multiple passphrases, this script may not be suitable without
# modification.
#
# -----------------------------------------------------------------------

# Check if the script is run as root (necessary for unlocking, managing systemd services, and mergerfs)
if [ "$EUID" -ne 0 ]; then
  echo "Please run this script as the root user or with sudo privileges."
  exit 1
fi

read -s -p "Enter the LUKS passphrase: " luks_passphrase
echo # Add a new line after passphrase input

# Array to hold LUKS devices
luks_devices=()

# List all devices and attempt to unlock LUKS devices
for device in $(lsblk -o NAME | tail -n +2); do
  if cryptsetup isLuks "/dev/$device" 2>/dev/null; then
    luks_name="${device}-crypt"
    echo "Unlocking /dev/$device as $luks_name..."
    echo "$luks_passphrase" | cryptsetup luksOpen "/dev/$device" "$luks_name"
    if [ $? -eq 0 ]; then
      echo "Successfully unlocked /dev/$device as $luks_name."
      luks_devices+=("$luks_name")
    else
      echo "Failed to unlock /dev/$device."
    fi
  fi
done

# Check if all LUKS devices are successfully unlocked
if [ "${#luks_devices[@]}" -eq 0 ]; then
  echo "No LUKS devices unlocked. Exiting."
  exit 1
fi

echo "Mounting all decrypted drives..."
mount -a

echo "Restarting the mergerfs mount systemd service..."
systemctl restart srv-mergerfs-POOLNAME.mount

echo "Retarting the Docker systemd service..."
systemctl restart docker

echo "All LUKS-encrypted drives unlocked, mergerfs pool restarted, and Docker service restarted."

Display More

larachantie · Aug 26th 2024

Thanks for this script. Only needed it for the unlocking of encrypted drives but works perfectly for me and saves skipping through the OMV GUI to unlock two encrypted disks on boot up. Recommended.

chico11mbit · Dec 28th 2024

This script does only mount my first LUKS drive SDF.

There ist a Raid5 with a LUKS MD0. This is not decrypted. What is wrong?

sda linux_raid 1.2 raid5 ........

└─md0 crypto_LUK 2

sdb linux_raid 1.2 raid5 ........

└─md0 crypto_LUK 2

sdc linux_raid 1.2 raid5 ........

└─md0 crypto_LUK 2

sdd linux_raid 1.2 raid5 ........

└─md0 crypto_LUK 2

sdf crypto_LUK 2 SSD ......

VaryingLegwarmer · Dec 31st 2024

chico11mbit you'll have to modify the script for raid drives. I have none with omv but chatgpt suggested this modification. You can try it or play with it and see how it goes and let us know.

Bash

#!/bin/bash
#
# OpenMediaVault (OMV) LUKS Unlock Helper Script for RAID with LUKS
#
# This script automates unlocking LUKS-encrypted drives, assembling RAID arrays,
# and unlocking RAID arrays encrypted with LUKS. It also restarts Docker and MergerFS services.
# Assumes all LUKS devices (including RAID) share the same passphrase.
#
# -----------------------------------------------------------------------

# Check if the script is run as root
if [ "$EUID" -ne 0 ]; then
  echo "Please run this script as the root user or with sudo privileges."
  exit 1
fi

read -s -p "Enter the LUKS passphrase: " luks_passphrase
echo # Add a new line after passphrase input

# Array to hold individual LUKS devices
luks_devices=()

# RAID LUKS device (if applicable)
raid_luks_device=""

# Step 1: Unlock individual LUKS devices
for device in $(lsblk -o NAME | tail -n +2); do
  if cryptsetup isLuks "/dev/$device" 2>/dev/null; then
    luks_name="${device}-crypt"
    echo "Unlocking /dev/$device as $luks_name..."
    echo "$luks_passphrase" | cryptsetup luksOpen "/dev/$device" "$luks_name"
    if [ $? -eq 0 ]; then
      echo "Successfully unlocked /dev/$device as $luks_name."
      luks_devices+=("/dev/mapper/$luks_name")
    else
      echo "Failed to unlock /dev/$device."
    fi
  fi
done

# Check if any LUKS devices were unlocked
if [ "${#luks_devices[@]}" -eq 0 ]; then
  echo "No individual LUKS devices unlocked. Exiting."
  exit 1
fi

# Step 2: Assemble RAID arrays (if any)
echo "Checking for RAID arrays to assemble..."
for device in "${luks_devices[@]}"; do
  mdadm_detail=$(mdadm --examine "$device" 2>/dev/null)
  if [[ $? -eq 0 ]]; then
    raid_array=$(echo "$mdadm_detail" | grep "ARRAY" | awk '{print $2}')
    if [[ -n "$raid_array" ]]; then
      echo "Device $device is part of RAID array $raid_array."
      echo "Assembling RAID array $raid_array..."
      mdadm --assemble "$raid_array"
      if [ $? -eq 0 ]; then
        echo "Successfully assembled $raid_array."
        # Check if the RAID array is LUKS-encrypted
        if cryptsetup isLuks "$raid_array" 2>/dev/null; then
          raid_luks_device="$raid_array"
        fi
      else
        echo "Failed to assemble $raid_array."
      fi
    fi
  fi
done

# Step 3: Unlock the RAID LUKS device (if applicable)
if [[ -n "$raid_luks_device" ]]; then
  echo "Unlocking RAID LUKS device $raid_luks_device..."
  luks_name="raid-crypt"
  echo "$luks_passphrase" | cryptsetup luksOpen "$raid_luks_device" "$luks_name"
  if [ $? -eq 0 ]; then
    echo "Successfully unlocked RAID LUKS device as $luks_name."
  else
    echo "Failed to unlock RAID LUKS device."
    exit 1
  fi
fi

# Step 4: Mount all decrypted drives
echo "Mounting all decrypted drives..."
mount -a

# Step 5: Restart MergerFS and Docker services
echo "Restarting the mergerfs mount systemd service..."
systemctl restart srv-mergerfs-POOLNAME.mount

echo "Restarting the Docker systemd service..."
systemctl restart docker

echo "All LUKS-encrypted drives and RAID arrays unlocked, MergerFS pool restarted, and Docker service restarted."

Display More

bermuda · Apr 27th 2025

Hello everyone,

just wanted to share my own experience about encryption on OMV. Debian has had an native way to do this, which is also pretty easy to implement and it does not require any scripts or restarting of services. For everyone who is interested to implement this I would advise to look into the packages dropbear-initramfs and cryptsetup-initramfs. There are several descriptions already available on the internet in connection with debian and luks.

Once installed there is very little to setup to make it work.

Basically one has to add/or edit their crypttab file under /etc/crypttab and define the mapper / source / key and options for the luks encrypted devices, example (option initramfs is needed if it is not the root-device but some other drive, keygroup1 and keyscript is used for devices with the same passphrase which is cached and reused, so you only have to type it once):

Code

# <target name> <source device>                              <key file>   <options>
crypt-data-1    UUID=72a93932-28e3-442b-9b1b-2afe6ed75796    keygroup1    luks,keyscript=decrypt_keyctl,initramfs
crypt-data-4    UUID=8322791f-ff5b-4300-8f3e-2718ba35b5da    keygroup1    luks,keyscript=decrypt_keyctl,initramfs
crypt-data-2    UUID=01a86874-f8e7-4ace-bfd3-0da677560bbc    keygroup1    luks,keyscript=decrypt_keyctl,initramfs
crypt-data-3    UUID=73db3a2a-5d1e-4630-a961-2ec931ab21e0    keygroup1    luks,keyscript=decrypt_keyctl,initramfs
crypt-docker    UUID=d4d9d343-56b0-43eb-9d42-136e7eff772c    keygroup1    luks,keyscript=decrypt_keyctl,initramfs

Secondly, transfer that into /etc/initramfs-tools/conf.d/cryptroot in the appropriate format, example:

Code

# <target name>    ,<source device>                                 ,<key file>   ,<options>
target=crypt-data-1,source=UUID=72a93932-28e3-442b-9b1b-2afe6ed75796,key=keygroup1,luks,keyscript=decrypt_keyctl
target=crypt-data-4,source=UUID=8322791f-ff5b-4300-8f3e-2718ba35b5da,key=keygroup1,luks,keyscript=decrypt_keyctl
target=crypt-data-2,source=UUID=01a86874-f8e7-4ace-bfd3-0da677560bbc,key=keygroup1,luks,keyscript=decrypt_keyctl
target=crypt-data-3,source=UUID=73db3a2a-5d1e-4630-a961-2ec931ab21e0,key=keygroup1,luks,keyscript=decrypt_keyctl
target=crypt-docker,source=UUID=d4d9d343-56b0-43eb-9d42-136e7eff772c,key=keygroup1,luks,keyscript=decrypt_keyctl

Setup dropbear.conf in /etc/dropbear/initramfs/dropbear.conf, also add your client pub-keys to authorized_keys
Setup initramfs.conf in /etc/initramfs-tools/initramfs.conf (using a DHCP with only one network-device doesn't need any config at all, otherwise you will have to at least define the device, if more than one is present)
Update/recreate your initramfs and you are done

Basically with every boot a dropbear-sshd session is started, waiting for the admin to connect to it and to execute cryptroot-unlock thus entering the luks-passphrase and decrypting all previously defined luks-devices. After that the system is booted as usual. This is a very convenient way as it is:

native and clean (works with upgrades)
works also with mdadm arrays, lvm's and any other native disk-setups which are supported in initramfs
does not interfere with physical input via keyboard/display on the host (it's still available)

and only needs the admin to ssh into the OMV host (or via attached a keyboard/display) to put in the passphrase before anything can happen.

eightbit · May 10th 2025

On the plus side, no keys on the host.

On the minus side, it's not automated delocking, it's "just" more convinient manual delocking.

bermuda · May 10th 2025

The reason for encryption is not personal convenience, but security.

So things may be a little bit inconvenient for the sake of higher data security in my opinion. But there is always room for improvement thou.

You are free to chose or develop a **more** convenient approach, if it suits your needs better. Best part of an open community

eightbit · May 10th 2025

Which doesn't change zero regarding my statement.

bermuda · May 10th 2025

You brought convenience as an negative aspect of achieving higher data security. Those two aspects are exclusively opposite to each other. If security is not high valued but convenience, you might be better of not encrypting the drives at all.

Server are usually used 24/7 and run uninterrupted for many weeks. I don't see that much inconvenience in that. All you need is a shell to ssh in and put in the passphrase once in a while.

eightbit · May 10th 2025

Quote from bermuda

You brought convenience as an negative aspect of achieving higher data security.

No, I did not. That's your interpretation. I just mentioned two facts.

Quote from bermuda

Those two aspects are exclusively opposite to each other.

In this absolute statement not true. This is not as black and white as you seem to think.

In the opppsite, the most conviniet security features are the most successful as they really are adapted.

Quote from bermuda

Server are usually used 24/7 and run uninterrupted for many weeks. I don't see that much inconvenience in that. All you need is a shell to ssh in and put in the passphrase once in a while.

That's obv. your setup and your personal view on it. Others might be different.

Btw, just to use your own arguments, isn't it a bit unsecure to keep drives unlocked when not used? Since if someone could get access to the host, he could read out all data without problems. Hint: That's your "key under the doormap" argument.

bermuda · May 10th 2025

People can leave their keys wherever they wish. It just makes everything less secure. So why not just leave the encryption and upload everything into public space? Apparently there is no security at all.

People lock their apartment doors to make it not so convenient for someone to break in and steal their stuff. Apparently they want more security and sort of protection of their belongings. Same goes for data.

As I said, you can **improve** things in an open community.

krachbumm · May 20th 2025

Hi,

fresh omv-user here. Just want to share my experience

I set up my system with Debian 12.11, FDE LUKS and initramfs unlock. Installed OMV7 on top.

Basically the same as bermuda:

Quote from bermuda
Hello everyone,
just wanted to share my own experience about encryption on OMV. Debian has had an native way to do this, which is also pretty easy to implement and it does not require any scripts or restarting of services. For everyone who is interested to implement this I would advise to look into the packages dropbear-initramfs and cryptsetup-initramfs. There are several descriptions already available on the internet in connection with debian and luks.

Once installed there is very little to setup to make it work.

Basically one has to add/or edit their crypttab file under /etc/crypttab and define the mapper / source / key and options for the luks encrypted devices, example (option initramfs is needed if it is not the root-device but some other drive, keygroup1 and keyscript is used for devices with the same passphrase which is cached and reused, so you only have to type it once):
Code
# <target name> <source device>                              <key file>   <options>
crypt-data-1    UUID=72a93932-28e3-442b-9b1b-2afe6ed75796    keygroup1    luks,keyscript=decrypt_keyctl,initramfs
crypt-data-4    UUID=8322791f-ff5b-4300-8f3e-2718ba35b5da    keygroup1    luks,keyscript=decrypt_keyctl,initramfs
crypt-data-2    UUID=01a86874-f8e7-4ace-bfd3-0da677560bbc    keygroup1    luks,keyscript=decrypt_keyctl,initramfs
crypt-data-3    UUID=73db3a2a-5d1e-4630-a961-2ec931ab21e0    keygroup1    luks,keyscript=decrypt_keyctl,initramfs
crypt-docker    UUID=d4d9d343-56b0-43eb-9d42-136e7eff772c    keygroup1    luks,keyscript=decrypt_keyctl,initramfs
Secondly, transfer that into /etc/initramfs-tools/conf.d/cryptroot in the appropriate format, example:
Code
# <target name>    ,<source device>                                 ,<key file>   ,<options>
target=crypt-data-1,source=UUID=72a93932-28e3-442b-9b1b-2afe6ed75796,key=keygroup1,luks,keyscript=decrypt_keyctl
target=crypt-data-4,source=UUID=8322791f-ff5b-4300-8f3e-2718ba35b5da,key=keygroup1,luks,keyscript=decrypt_keyctl
target=crypt-data-2,source=UUID=01a86874-f8e7-4ace-bfd3-0da677560bbc,key=keygroup1,luks,keyscript=decrypt_keyctl
target=crypt-data-3,source=UUID=73db3a2a-5d1e-4630-a961-2ec931ab21e0,key=keygroup1,luks,keyscript=decrypt_keyctl
target=crypt-docker,source=UUID=d4d9d343-56b0-43eb-9d42-136e7eff772c,key=keygroup1,luks,keyscript=decrypt_keyctl
Setup dropbear.conf in /etc/dropbear/initramfs/dropbear.conf, also add your client pub-keys to authorized_keys
Setup initramfs.conf in /etc/initramfs-tools/initramfs.conf (using a DHCP with only one network-device doesn't need any config at all, otherwise you will have to at least define the device, if more than one is present)
Update/recreate your initramfs and you are done

Basically with every boot a dropbear-sshd session is started, waiting for the admin to connect to it and to execute cryptroot-unlock thus entering the luks-passphrase and decrypting all previously defined luks-devices. After that the system is booted as usual. This is a very convenient way as it is:
native and clean (works with upgrades)
works also with mdadm arrays, lvm's and any other native disk-setups which are supported in initramfs
does not interfere with physical input via keyboard/display on the host (it's still available)
and only needs the admin to ssh into the OMV host (or via attached a keyboard/display) to put in the passphrase before anything can happen.
Display More

Except I didn't ran /etc/initramfs-tools/conf.d/cryptroot and had big problems with LVM volumes on the encrypted raid. I decided to go with BTRFS without LVM which works wonderful. Otherwise, it works as you described. Very convenient.

Had I found your post sooner, it would have made life a lot easier for me.

VaryingLegwarmer · May 21st 2025

Quote from bermuda
Hello everyone,
just wanted to share my own experience about encryption on OMV. Debian has had an native way to do this, which is also pretty easy to implement and it does not require any scripts or restarting of services. For everyone who is interested to implement this I would advise to look into the packages dropbear-initramfs and cryptsetup-initramfs. There are several descriptions already available on the internet in connection with debian and luks.

Once installed there is very little to setup to make it work.

Basically one has to add/or edit their crypttab file under /etc/crypttab and define the mapper / source / key and options for the luks encrypted devices, example (option initramfs is needed if it is not the root-device but some other drive, keygroup1 and keyscript is used for devices with the same passphrase which is cached and reused, so you only have to type it once):
Code
# <target name> <source device>                              <key file>   <options>
crypt-data-1    UUID=72a93932-28e3-442b-9b1b-2afe6ed75796    keygroup1    luks,keyscript=decrypt_keyctl,initramfs
crypt-data-4    UUID=8322791f-ff5b-4300-8f3e-2718ba35b5da    keygroup1    luks,keyscript=decrypt_keyctl,initramfs
crypt-data-2    UUID=01a86874-f8e7-4ace-bfd3-0da677560bbc    keygroup1    luks,keyscript=decrypt_keyctl,initramfs
crypt-data-3    UUID=73db3a2a-5d1e-4630-a961-2ec931ab21e0    keygroup1    luks,keyscript=decrypt_keyctl,initramfs
crypt-docker    UUID=d4d9d343-56b0-43eb-9d42-136e7eff772c    keygroup1    luks,keyscript=decrypt_keyctl,initramfs
Secondly, transfer that into /etc/initramfs-tools/conf.d/cryptroot in the appropriate format, example:
Code
# <target name>    ,<source device>                                 ,<key file>   ,<options>
target=crypt-data-1,source=UUID=72a93932-28e3-442b-9b1b-2afe6ed75796,key=keygroup1,luks,keyscript=decrypt_keyctl
target=crypt-data-4,source=UUID=8322791f-ff5b-4300-8f3e-2718ba35b5da,key=keygroup1,luks,keyscript=decrypt_keyctl
target=crypt-data-2,source=UUID=01a86874-f8e7-4ace-bfd3-0da677560bbc,key=keygroup1,luks,keyscript=decrypt_keyctl
target=crypt-data-3,source=UUID=73db3a2a-5d1e-4630-a961-2ec931ab21e0,key=keygroup1,luks,keyscript=decrypt_keyctl
target=crypt-docker,source=UUID=d4d9d343-56b0-43eb-9d42-136e7eff772c,key=keygroup1,luks,keyscript=decrypt_keyctl
Setup dropbear.conf in /etc/dropbear/initramfs/dropbear.conf, also add your client pub-keys to authorized_keys
Setup initramfs.conf in /etc/initramfs-tools/initramfs.conf (using a DHCP with only one network-device doesn't need any config at all, otherwise you will have to at least define the device, if more than one is present)
Update/recreate your initramfs and you are done

Basically with every boot a dropbear-sshd session is started, waiting for the admin to connect to it and to execute cryptroot-unlock thus entering the luks-passphrase and decrypting all previously defined luks-devices. After that the system is booted as usual. This is a very convenient way as it is:
native and clean (works with upgrades)
works also with mdadm arrays, lvm's and any other native disk-setups which are supported in initramfs
does not interfere with physical input via keyboard/display on the host (it's still available)
and only needs the admin to ssh into the OMV host (or via attached a keyboard/display) to put in the passphrase before anything can happen.
Display More

While I knew of the dropbear setup I didn't know of decrypt_keyctl and keygroups, that's pretty neat! I might add this to my setup eventually as well. As it is it wouldn't make it any more convenient than the script (which I'm fine with). I may even integrate keygroups into the script, will explore that with an AI eventually. Thanks!

bermuda · May 21st 2025

Well ... all I did is to apply a working concept to OMV or rather Debian and put the steps I had to take in here for everyone who's also interested in a similar solution.

Glad to see that people actually appreciate that

Is there a script to unlock several LUKS drives at once and restart docker+mergerfs?

ryecoaaron Oct 4th 2023

VaryingLegwarmer Aug 27th 2024

Participate now!

Tags