Encrypted OMV installation with aes-xts-plain64 cipher

  • Hello,


    I've just posted on wiki the very first draft of manual describing how to set up an encrypted OMV installation with aes-xts-plain64 cipher, random key for swap and exposing the rest of boot disk to store data.
    http://wiki.openmediavault.org…f_boot_disk_to_store_data


    I'll update it with screenshots soon. I hope you'll find it useful and maybe help to improve it.


    This thread is meant for feedback, discussion and ideas related to that manual.

  • Hi,
    I have encrypted my data disk with LUKS and LVM, I also updated /etc/crypttab and initramfs. The pre-boot authentification is working and the LVM is mounted correctly.


    Then I installed dropbear to unlock the system remotely, updated /etc/initramfs-tools/initramfs.conf with

    Code
    DROPBEAR=y
    DEVICE=eth0
    IP=192.168.178.101::192.168.178.1:255.255.255.0::eth0:off


    and made a copy of the private key on my laptop.
    After the reboot I get an IP and can ping the system nevertheless when I attempt to connect, I get "Connection refused".


    As you mentioned in the wiki that you also intend to configure a SSH server to unlock the system remotely I figured you might have ideas on how to accomplish this?


    Thanks in advance.
    Vitality

  • Hi,


    i tried to use your guide, but unfortunately it didn't work for me. I can boot the new iso and do the first steps in the setup. As soon as i have choosen a keyboard layout, a red warning shows an error about an incorrect cd.


    In order to get a working .iso I had to use a different command for mkisofs:

    Code
    mkisofs -o omv.iso -b isolinux/isolinux.bin -c isolinux/boot.cat -no-emul-boot -boot-load-size 4 -boot-info-table OMV


    (taken from syslinux.org). The command stated in the guide did not create a bootable iso for me.
    In addition to that, I also adjusted the hash values of preseed.cfg using SHA1 and SHA256.


    Any help on where my error might be is appreciated.


    PS: I do not need a LUKS installation using a manual encryption config - the default is sufficient. Although this should not matter yet.

    ESXi: SM X9SCA-F || Xeon E3-1220LV2 || Kingston ECC 16GB DDR3-1333 || 2x IBM M1015 (IT) || 38TB raw || Chenbro SR11269

  • Hi,


    First of all - apologies, as it seems that the mkisofs command parameters on the wiki get cut. I've fixed that now.


    The reason you get an error about incorrect CD is most likely due to improper or lack of update of md5sum of preseed.cfg file in md5sum.txt
    Double check that, please.

  • Thanks for your reply :)


    I will try it again, but at the moment I resolved it by using a standard Debian netinstall and adding the OMV-repositories afterwards.

    ESXi: SM X9SCA-F || Xeon E3-1220LV2 || Kingston ECC 16GB DDR3-1333 || 2x IBM M1015 (IT) || 38TB raw || Chenbro SR11269

  • Hi !


    I installed a cyphered OMV system on a server last year using your elements (http://wiki.openmediavault.org…f_boot_disk_to_store_data).


    It works pretty well !


    The system HDD is fully cyphered except the /boot.
    It's remotely unlocked via an ssh command, and then it unlocks automatically (files stored on the cyphered system HDD) the 2 RAID1 arrays (2x500Go and 2x2To).


    But my questions are :
    - in case of a failure of the system HDD, how can I manage to recover all my data writtened on the 2 RAID1 arrays ?
    - in case of a failure of 1 HDD in one of the arrays, how can I proceed to :
    * access to my data
    * rebuild the broken array


    I never tried to disconnect one drive in order to test (I didn't have so much time to spend on it... unfortunately) and if there is no pretty easy solution to do that, I will probably move to a non-cyphered solution, that I can more easily manage with my knowledge...


    Thanks for your contribution !

  • Hi,


    thank you very much. I used the HowTo it worked perfectly. I used the "Easy Way" to encrypt my boot disk, which is a 128GB SSD. Over 100GB remained used, but I found a way to use them as data storage. I'd like to share it with you. Maybe you find it useful.


    The way how I did it is actually very simple:


    create a 100GB container file

    Code
    dd if=/dev/zero of=/media/container_file bs=1G count=100


    bind it as a loop device:

    Code
    losetup -f
    losetup /dev/loop0 /media/container_file


    format it in ext4:

    Code
    mkfs.ext4 /dev/loop0


    mount it:

    Code
    mount -t ext4 /dev/loop0 /media


    Now you can use the rest of your system partition as data storage.


    I hope this is helpful


  • But my questions are :
    - in case of a failure of the system HDD, how can I manage to recover all my data writtened on the 2 RAID1 arrays ?
    - in case of a failure of 1 HDD in one of the arrays, how can I proceed to :
    * access to my data
    * rebuild the broken array


    - You need to backup the key(file)(s) used to open the encrypted partiotions. Otherwise it will be impossible to access your data if you choose a good key(file). It might be worth to backup the raid configuration as well (which hd belongs to which raid), that will make it easier to reconstrcut everything.
    * If one hd fails you can still access your data as if nothing happenend. You should activate notifications because if your second hd fails your data is lost.
    * As you have a backup of your data (you have one, don't you?), you can just physically switch the hd and remove/add it in the raid configuration as well. The raid should rebuild and everything is fine.


    I never tried to disconnect one drive in order to test (I didn't have so much time to spend on it... unfortunately) ...


    You should have done that! Ignoring the automatic rebuild it just takes some 20 mins, but you are sure that your date is secure and you know the process ...


    Greetings
    Wk

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!