Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LUKS encryption plugin #1

Open
subzero79 opened this issue Jan 14, 2018 · 4 comments
Open

LUKS encryption plugin #1

subzero79 opened this issue Jan 14, 2018 · 4 comments

Comments

@subzero79
Copy link

subzero79 commented Jan 14, 2018
edited
Loading

I just saw your guide in the forum, i ended up here.

Like two months ago i did some sort of enhancement of the luks encryption plugin. The source is here

https://github.com/subzero79/openmediavault-luksencryption/tree/advsettings

This was based on this work

https://blog.iwakd.de/headless-luks-decryption-via-ssh

What this fork of the plugin does:

  • Allows you to activate a before-decrypt target, where only basic services (including ssh will be running)
  • Includes a decrypt drives script to be run. The script will prompt for password for the drives. Another option is two give a secondary drive (with keyfiles) to use for auto-decrypting. If the key disk is encrypted then you will need to log into ssh to run it as it will prompt for the password of the disk.

Feel free to test it or add more features.

The plugin does some heavy interventions in the /etc/fstab and db omv lines to work properly, especially if the before-decrypt target is activated. It will add noauto,nofail as this essential to not delay boot. Also deactivates sharedfolders systemd units.

The fstab drives and sharedfolders units are mounted once the drives are decrypted and multi-user target reached (just look at mkconf/luks.d/03systemd folder). The idea of the plugin was not to boot omv and have numerous services failing to start because the un-decrypted drives were not available.

This plugin doesn't handle the rootfs encryption. If you think you can add the feature somehow let me know
@gandalfb
Copy link
Owner

Thank you for your insights.
With focusing on data encryption your approach seems very good.
I do have docker data on root device which makes me want to encrypt this as well.
snapraid, mergerfs is not working on Docker (disk I/O errors)

Have you tried to get this as a pull request into the official plugin?
As you mentioned your heavy interventions might have other implications which would be addressed?

@subzero79
Copy link
Author

haven't tried as PR request yet. This is because in the forum luks thread i offered to test it no one showed interested but i know there is an issue using encrypted disks in omv, especially related to services.

The heavy intervention is done properly IMO, first adding the parameter to the fstab db (via omv-confdbadm), then regenerating fstab. These interventions can be reverted as the mkconf script also removes the noauto from db and fstab when the decrypt target is deactivated.

@gandalfb
Copy link
Owner

I would vote for it :-)
Maybe search optimize the thread. I did not recognize this as relevant during research.

The easy usage of encryption is something that should be taken care of. IMHO

@subzero79
Copy link
Author

Sorry my mistake, it was the docker plugin cleanup i offered, is also in my github.

The idea came after discussing the issue in this thread

https://forum.openmediavault.org/index.php/Thread/18158-LUKS-KeyFile-AutoMount-SOLVED/?pageNo=1

But i haven't yet asked for testing.

@subzero79 subzero79 mentioned this issue Jan 24, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@subzero79 @gandalfb