Faxumwiki

La wiki del gatasso

Strumenti Utente

Strumenti Sito


linux:openmediavault:automount_luks_with_remote_key

Automount LUKS disk using remote key

Goals

In my house there is a NAS based on OpenMediaVault that I want to protect from theft. To make it possible the data disk inside the NAS is crypted with LUKS, using the plugin openmediavault-luksencryption. This seems to be a status-of-the-art solution, but there is a single problem: every time the server starts, you need to enter into the WegGUI in order to unlock the encrypted drive.
In my case, the server automatically shutdown at 23:59 every day, and is turned on manually only when I need it. The access via WebGUI is very uncomfortable because you need a computer: unlock the drive via smartphone or via tablet is very hard and tricky (the web interface is not size-responsive and the buttons are very small), and you always need to type the administrator password.
I searched over the internet a solution, but nobody seems to have my problem… Strange! Probably 99% of people keeps its NAS powered-on 24/7. It's not a solution for me: I use it only few hours per week, and keeping it powered is a waste of energy.

The solution I adopted is this: store the LUKS password in a file into the local router (based on OpenWRT or LEDE) and use a (rcS) script for automatic unlocking the drive at every startup.
If the NAS will be stolen, it will not be able to retrieve the key stored locally and the data will be protected. Obviously this solution have its weaknesses: the bigger one is when the NAS && the router are stolen together. In this scenary the thief has got the crypted data and the key. But this is not a problem for me, because the server contains only photos and family data, and I want to protect them from normal thief or low-level users, not from brute-force attacks or Russians spies.
With a little modify to the script, you will be able to store the key/password in a remote server or over the internet (with pros… and cons…).

OpenWRT or LEDE

Let's start creating the password file into the router.
Gain access via SSH and create a new file into the folder /www/:
( :!: warning :!: this password will be accessible to anyone who knows the name of the file and have access to a local connection to the router. You can use another name for the file, example: /www/j-if9_8n4ikZWvblkhp.txt)

[email protected]:~# echo "MySecretPassword" > /www/key.txt

Easy, right?

Openmediavault script

Now create the script into the OpenMediaVault server.
Login via SSH, and create the file /etc/init.d/automount_cryptodisk

[email protected]:/# nano /etc/init.d/automount_cryptodisk

Its content should be:

#! /bin/sh
### BEGIN INIT INFO
# Provides:          Automount cryptodisk
# Required-Start:    $all
# Required-Stop:
# Should-Start:
# Default-Start:     5
# Default-Stop:
# Short-Description: Automount cryptodisk
# Description:       Automount cryptodisk using a key saved remotely.
### END INIT INFO
 
#PLEASE, customize this variable with the correct name of the file into the router:
REMOTEKEY="192.168.0.1/key.txt"
 
#Run always
SCRIPTNAME="automount_cryptodisk"
LOGFILE="/tmp/automount_crypto"
echo "Logfile is: $LOGFILE"
 
# Carry out specific functions when asked to by the system
case "$1" in
  start)
    echo "Starting script."
    echo "Starting script $SCRIPTNAME " > $LOGFILE
    echo "Download key..." >> $LOGFILE
    wget -O /tmp/amcdkey.txt $REMOTEKEY >> $LOGFILE 2>&1
    echo "Loading key..." >> $LOGFILE
    KEYSTRING="$(cat /tmp/amcdkey.txt)"
    echo "Removing temp file.." >> $LOGFILE
    rm -rf /tmp/amcdkey.txt >> $LOGFILE 2>&1
    echo "Retrieving disk device name..." >> $LOGFILE
    DISKTOMOUNT="$(blkid | grep LUKS | cut -f1 -d:)"
    echo "Device: (absolute path) $DISKTOMOUNT" >> $LOGFILE
    DISKTOMOUNT="${DISKTOMOUNT#/dev/}"
    echo "Device: (relative to /dev/) $DISKTOMOUNT" >> $LOGFILE
    echo "Try to open LUKS disk..." >> $LOGFILE
    echo $KEYSTRING | cryptsetup luksOpen /dev/$DISKTOMOUNT $DISKTOMOUNT-crypt >> $LOGFILE 2>&1
    echo "Done."
    echo "Done." >> $LOGFILE
    ;;
  stop)
    echo "Stopping script: nothing to do here"
    echo "Stopping script $SCRIPTNAME: nothing to do here" > $LOGFILE
    ;;
  *)
    echo "Usage: /etc/init.d/$SCRIPTNAME {start|stop}"
    exit 1
    ;;
esac
 
exit 0

Remember to customize the REMOTEKEY=“192.168.0.1/key.txt” variable with the real IP address and name of the file you created into the router!
And now, make the script executable:

[email protected]:/# chmod 755 /etc/init.d/automount_cryptodisk

and auto-install it into the system:

[email protected]:/# update-rc.d /etc/init.d/automount_cryptodisk defaults

Reboot your server and enjoy your auto-unlock :-)

Principle of operation

After the execution of the last command (update-rc.d…) a link to the original script will be automatically placed into the folder /etc/rc5.d/ 1). The script will be executed at every late-startup 2) of OpenMediaVault.
The sequence of operations it perform is:

  1. download the password file from the router into a temporary file (placed in a tmpfs==RAM)
  2. load the password into a variable
  3. delete the temporary file (please note that it is only for refinement: the file was placed in RAM and it would still be lost on next power-off of the server)
  4. search for the first LUKS-encrypted device installed into the system
  5. extract the device name of the device (eg: sdb)
  6. try to unlock the device, with the given password

Troubleshooting

Every time the server will be turned on, a LOG file will be created in /tmp/automount_crypto.
Please analize the content of the file in event of trouble.

TO-DO

…But do not rely on me…

  • Wipe the temp file downloaded from the router before removing it
  • Unlock devices recursively, if more than one is LUKS-encrypted

Tested

Tested on OMV 3

1) # Default-Start: 5
2) #Required-Start: $all
linux/openmediavault/automount_luks_with_remote_key.txt · Ultima modifica: 2017/03/20 22:05 da fabiusx