First of all: This is an example, not a guide. I can not guarantee that what worked for me in my specific setup will work for anybody else. I might not be able to help in case any problems occur to anyone trying to copy what I did.
However, this might be useful to people that look for ways to achieve the same thing I did. Still, if you don't understand every step of what I did: Don't do it.
I like to have all my data stored in encrypted drives. I do that for my computer and for the drives I have been using to backup my computer. Naturally, I also encrypted my storage drives in OMV via the openmediavault-luksencryption plugin.
Two things bothered me about that setup:
1. After a reboot, services that are on or refer to an encrypted drive (for me: fail2ban, docker, mergerfs, ...) were not running and I had to manually put in the passphrase for each drive and then restart every service.
Also after each reboot I received about 30 e-mails from omv telling me, that my filesystems were not existing, that mountpoints failed, etc. After unlocking the encrypted drives I received several e-mails, that mounting the filesystems was successful, etc.
So, after each reboot or boot, I had to do a few adjustments before things worked and then delete a lot of useless e-mails.
2. My root drive was not encrypted. While many might argue, that that is not necessary, I like the thought that, when I power down my computers, no one can access anything. Also, this way I don't have to care about what information might be stored by which program in which place. When my drive fails and I throw it away, I don't have to worry that there might be readable information on it I don't want in somebody else's hands, etc. Everything is encrypted. Zero trust. Nice.
I came across this guide, it seems outdated though. My method is similar, but one doesn't have to copy or rsync the root drive and the final encryption can be done while the server is up and running.
I ended up with a fully encrypted system, where I enter one passphrase once during the boot process and get a fully working system without getting 30 useless e-mails.
It might be noteworthy, that my installation was on a 256 GB SSD with lots of free space.
Here is what I did:
0. Backup everything!!
1. We need an encrypted swap. Encrypting everything but leaving swap unencrypted doesn't make sense in my opinion, since the encryption keys or anything else might be stored in swap temporarily. The cryptsetup readme has a good guide for this:
a. Find out the current swap partition by using lsblk, or by looking in the fstab (cat /etc/fstab). If a swapfile is used there is no need to change anything since it won't be accessible without unlocking the root drive anyway.
b. Deactivate our current swap: sudo swapoff -a
c. Add an entry to etc/crypttab for our swap device:
# <target name> <source device> <key file> <options>
cswap1 <swapdevice, eg. PARTUUID=xxx> /dev/urandom plain,cipher=aes-xts-plain64,size=256,swap
<swapdevice> needs to be replaced by the correct device. Using something like /dev/sda5 is not safe, because this will change after rebooting. It is possible to use labels or UUIDs after following this guide, otherwise they also change after rebooting.
I just use the PARTUUID I looked up via sudo blkid. (If the partition should be repurposed later on without repartitioning first, one has to remember to remove that line from crypttab, otherwise the partition will continue to be overwritten on each boot.)
Other options include using /dev/disk/by-id/xxx-part-x. All persistent device names can be found via find -L /dev/disk -samefile /dev/<swapdevice>
If the swap partition is stored on a SSD it's possible to add discard to the options in order to make trim work (although this makes the encryption weaker - probably more relevant for normal partitions though)
# <target name> <source device> <key file> <options>
cswap1 <swapdevice, eg. PARTUUID=xxx> /dev/urandom plain,cipher=aes-xts-plain64,size=256,swap,discard
d. Change the swap entry in /etc/fstab to point to the encrypted device:
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/mapper/cswap1 none swap sw 0 0
e. Create and start the encrypted swap device:
f. Make sure resume/suspend to disk is disabled:
g. Done. Swap is encrypted.
2. Setup Dropbear to be able to connect via ssh during the boot process.
a. Install dropbear-initramfs: sudo apt install dropbear-initramfs
b. Edit /etc/dropbear/initramfs/dropbear.conf
to contain the following:
(this closes the connection after 180 seconds of no activity, disables port forwarding, sets dropbear's ssh port to 33333, disables password login and restricts the ssh connection to executing cryptroot-unlock.)
c. Copy our ssh public key to /etc/dropbear/initramfs/authorized_keys
. We can generate a new pair, and insert the public key there, or copy the key we might be using already from the ~/.ssh/authorized_keys file in our user's home folder on omv.
I am using Ubuntu on my desktop computer, and the public key for openmediavault is already stored in my home folder so I just copied that one:
user@Desktop:~$ scp ~/.ssh/id_ed25519.pub 192.xxx.xxx.xx:~/key.pub
user@Desktop:~$ ssh 192.xxx.xxx.xx
user@omv:~$ sudo -s
root@omv:/home/user# cat key.pub >> /etc/dropbear/initramfs/authorized_keys
d. My router is configured to always assign a specific IP address to my server via DHCP. If that is not the case we need to specify the IP in /etc/initramfs-tools/initramfs.conf by adding
Even if this is not necessary because DHCP is set up, I recommend (additionally) setting the static IP in the omv GUI network interfaces settings page to avoid any trouble with DHCP after dropbear closes the connection.
e. I have more than one network interface and dropbear always used the one that has no DHCP set up, so I specified which interface to use by defining it in /etc/initramfs-tools/initramfs.conf (by adding DEVICE=eno1).
f. Update the initramfs image: sudo update-initramfs -u
g. Done.
3. See next post