by TheFAX

In my house there is a NAS based on OpenMediaVault that I want to protect from theft. To make it possible the data disk inside the NAS is crypted with LUKS, using the plugin openmediavault-luksencryption. This seems to be a status-of-the-art solution, but there is a single problem: every time the server starts, you need to enter into the WegGUI in order to unlock the encrypted drive.
In my case, the server automatically shutdown at 23:59 every day, and is turned on manually only when I need it. The access via WebGUI is very uncomfortable because you need a computer: unlock the drive via smartphone or via tablet is very hard and tricky (the web interface is not size-responsive and the buttons are very small), and you always need to type the administrator password.
I searched over the internet a solution, but nobody seems to have my problem… Strange! Probably 99% of people keeps its NAS powered-on 24/7. It's not a solution for me: I use it only few hours per week, and keeping it powered is a waste of energy.

The solution I adopted is this: store the LUKS password in a file into the local router (based on OpenWRT or LEDE) and use a (rcS) script for automatic unlocking the drive at every startup.
If the NAS will be stolen, it will not be able to retrieve the key stored locally and the data will be protected. Obviously this solution have its weaknesses: the bigger one is when the NAS && the router are stolen together. In this scenary the thief has got the crypted data and the key. But this is not a problem for me, because the server contains only photos and family data, and I want to protect them from normal thief or low-level users, not from brute-force attacks or Russians spies.
With a little modify to the script, you will be able to store the key/password in a remote server or over the internet (with pros… and cons…).

Let's start creating the password file into the router.
Gain access via SSH and create a new file into the folder /www/:
( warning this password will be accessible to anyone who knows the name of the file and have access to a local connection to the router. You can use another name for the file, example: /www/j-if9_8n4ikZWvblkhp.txt)

root@OpenWrt:~# echo "MySecretPassword" > /www/key.txt

Easy, right?

Now create the script into the OpenMediaVault server.
Login via SSH, and create the file /etc/init.d/automount_cryptodisk

root@openmediavault:/# nano /etc/init.d/automount_cryptodisk

Its content should be:

#! /bin/bash
### BEGIN INIT INFO
# Provides:          Automount cryptodisk
# Required-Start:    $all $network $named
# Required-Stop:
# Should-Start:
# Default-Start:     5
# Default-Stop:
# Short-Description: Automount cryptodisk
# Description:       Automount cryptodisk using a key saved remotely.
### END INIT INFO
 
SCRIPTNAME="automount_cryptodisk_v2"
 
#PLEASE, customize this variable with the correct url of your remote key:
REMOTEKEY="192.168.0.1/keysda.txt"
LOGFILE="/tmp/automount_crypto"
KEYTEMPFILE="/tmp/amcdkey.txt"
 
# Carry out specific functions when asked to by the system
case "$1" in
  start)
    echo "BEGIN Script $SCRIPTNAME " > $LOGFILE
 
    echo "Download key into a temp file..." >> $LOGFILE
    wget -O $KEYTEMPFILE $REMOTEKEY >> $LOGFILE 2>&1
 
    echo "Loading key from the temp file..." >> $LOGFILE
    KEYSTRING="$(cat $KEYTEMPFILE)"
 
    echo "Removing key temp file..." >> $LOGFILE
    rm -rf $KEYTEMPFILE >> $LOGFILE 2>&1
 
    echo "Retrieving LUCKS device names..." >> $LOGFILE
    DISKTOMOUNT=( $( blkid | grep LUKS | cut --fields=1 --delimiter=: ) )
 
    #in questo punto, DISKTOMOUNT è un array che contiene tutti i device LUCKS
 
    for ITEM in ${DISKTOMOUNT[*]}
    do
      #Per ogni device criptato:
      echo "Detected LUKS device: $ITEM" >> $LOGFILE
 
      DEVICENAME="${ITEM#/dev/}"
      echo "Calculated device name: $DEVICENAME" >> $LOGFILE
 
      echo "Try to unlock disk..." >> $LOGFILE
      echo $KEYSTRING | cryptsetup luksOpen /dev/$DEVICENAME $DEVICENAME-crypt >> $LOGFILE 2>&1
    done
 
    echo "END of log." >> $LOGFILE
    ;;
  stop)
    echo "Stopping script: nothing to do here"
    echo "Stopping script $SCRIPTNAME: nothing to do here" > $LOGFILE
    ;;
  *)
    echo "Usage: /etc/init.d/$SCRIPTNAME {start|stop}"
    exit 1
    ;;
esac
 
exit 0

Remember to customize the REMOTEKEY=“192.168.0.1/key.txt” variable with the real IP address and name of the file you created into the router!
And now, make the script executable:

root@openmediavault:/# chmod 755 /etc/init.d/automount_cryptodisk

and auto-install it into the system:

root@openmediavault:/# update-rc.d automount_cryptodisk defaults

Reboot your server and enjoy your auto-unlock

After the execution of the last command (update-rc.d automount_cryptodisk defaults) a link to the original script will be automatically placed into the folder /etc/rc5.d/ ¹⁾. The script will be executed at every late-startup ²⁾ of OpenMediaVault.
The sequence of operations it perform is:

1. download the password file from the router into a temporary file (placed in a tmpfs==RAM)
2. load the password into a variable
3. delete the temporary file (please note that it is only for refinement: the file was placed in RAM and it would still be lost on next power-off of the server)
4. search for all LUKS-encrypted devices installed into the system (saving their dev/names into a bash array)
5. for each device in the array:
   1. extract the device name (eg: sdb)
   2. try to unlock the device, with the password loaded on the step 2.

Every time the server will be turned on, a LOG file will be created in /tmp/automount_crypto.
Please analize the content of the file in event of trouble.

…But do not rely on me…

• Wipe the temp file downloaded from the router before removing it
• Unlock devices recursively, if more than one is LUKS-encrypted DONE!

Tested on OMV 3
Tested on OMV 4

https://debian-administration.org/article/28/Making_scripts_run_at_boot_time_with_Debian
http://serverfault.com/questions/341919/how-to-find-error-messages-from-linux-init-d-rc-d-scripts
https://wiki.debian.org/LSBInitScripts
http://forum.openmediavault.org/index.php/Thread/15532-LUKS-auto-unlock-via-keyfile-from-a-network-device/#post140091