La wiki del gatasso

Strumenti Utente

Strumenti Sito


Automount LUKS disk using remote key

by TheFAX


In my house there is a NAS based on OpenMediaVault that I want to protect from theft. To make it possible the data disk inside the NAS is crypted with LUKS, using the plugin openmediavault-luksencryption. This seems to be a status-of-the-art solution, but there is a single problem: every time the server starts, you need to enter into the WegGUI in order to unlock the encrypted drive.
In my case, the server automatically shutdown at 23:59 every day, and is turned on manually only when I need it. The access via WebGUI is very uncomfortable because you need a computer: unlock the drive via smartphone or via tablet is very hard and tricky (the web interface is not size-responsive and the buttons are very small), and you always need to type the administrator password.
I searched over the internet a solution, but nobody seems to have my problem… Strange! Probably 99% of people keeps its NAS powered-on 24/7. It's not a solution for me: I use it only few hours per week, and keeping it powered is a waste of energy.

The solution I adopted is this: store the LUKS password in a file into the local router (based on OpenWRT or LEDE) and use a (rcS) script for automatic unlocking the drive at every startup.
If the NAS will be stolen, it will not be able to retrieve the key stored locally and the data will be protected. Obviously this solution have its weaknesses: the bigger one is when the NAS && the router are stolen together. In this scenary the thief has got the crypted data and the key. But this is not a problem for me, because the server contains only photos and family data, and I want to protect them from normal thief or low-level users, not from brute-force attacks or Russians spies.
With a little modify to the script, you will be able to store the key/password in a remote server or over the internet (with pros… and cons…).


Let's start creating the password file into the router.
Gain access via SSH and create a new file into the folder /www/:
( :!: warning :!: this password will be accessible to anyone who knows the name of the file and have access to a local connection to the router. You can use another name for the file, example: /www/j-if9_8n4ikZWvblkhp.txt)

[email protected]:~# echo "MySecretPassword" > /www/key.txt

Easy, right?

Openmediavault script

Now create the script into the OpenMediaVault server.
Login via SSH, and create the file /etc/init.d/automount_cryptodisk

[email protected]:/# nano /etc/init.d/automount_cryptodisk

Its content should be:

#! /bin/bash
# Provides:          Automount cryptodisk
# Required-Start:    $all $network $named
# Required-Stop:
# Should-Start:
# Default-Start:     5
# Default-Stop:
# Short-Description: Automount cryptodisk
# Description:       Automount cryptodisk using a key saved remotely.
#PLEASE, customize this variable with the correct url of your remote key:
# Carry out specific functions when asked to by the system
case "$1" in
    echo "BEGIN Script $SCRIPTNAME " > $LOGFILE
    echo "Download key into a temp file..." >> $LOGFILE
    echo "Loading key from the temp file..." >> $LOGFILE
    echo "Removing key temp file..." >> $LOGFILE
    rm -rf $KEYTEMPFILE >> $LOGFILE 2>&1
    echo "Retrieving LUCKS device names..." >> $LOGFILE
    DISKTOMOUNT=( $( blkid | grep LUKS | cut --fields=1 --delimiter=: ) )
    #in questo punto, DISKTOMOUNT è un array che contiene tutti i device LUCKS
    for ITEM in ${DISKTOMOUNT[*]}
      #Per ogni device criptato:
      echo "Detected LUKS device: $ITEM" >> $LOGFILE
      echo "Calculated device name: $DEVICENAME" >> $LOGFILE
      echo "Try to unlock disk..." >> $LOGFILE
      echo $KEYSTRING | cryptsetup luksOpen /dev/$DEVICENAME $DEVICENAME-crypt >> $LOGFILE 2>&1
    echo "END of log." >> $LOGFILE
    echo "Stopping script: nothing to do here"
    echo "Stopping script $SCRIPTNAME: nothing to do here" > $LOGFILE
    echo "Usage: /etc/init.d/$SCRIPTNAME {start|stop}"
    exit 1
exit 0

Remember to customize the REMOTEKEY=“” variable with the real IP address and name of the file you created into the router!
And now, make the script executable:

[email protected]:/# chmod 755 /etc/init.d/automount_cryptodisk

and auto-install it into the system:

[email protected]:/# update-rc.d automount_cryptodisk defaults

Reboot your server and enjoy your auto-unlock :-)

Principle of operation

After the execution of the last command (update-rc.d automount_cryptodisk defaults) a link to the original script will be automatically placed into the folder /etc/rc5.d/ 1). The script will be executed at every late-startup 2) of OpenMediaVault.
The sequence of operations it perform is:

  1. download the password file from the router into a temporary file (placed in a tmpfs==RAM)
  2. load the password into a variable
  3. delete the temporary file (please note that it is only for refinement: the file was placed in RAM and it would still be lost on next power-off of the server)
  4. search for all LUKS-encrypted devices installed into the system (saving their dev/names into a bash array)
  5. for each device in the array:
    1. extract the device name (eg: sdb)
    2. try to unlock the device, with the password loaded on the step 2.


Every time the server will be turned on, a LOG file will be created in /tmp/automount_crypto.
Please analize the content of the file in event of trouble.


…But do not rely on me…

  • Wipe the temp file downloaded from the router before removing it
  • Unlock devices recursively, if more than one is LUKS-encrypted DONE!


Tested on OMV 3
Tested on OMV 4

# Default-Start: 5
#Required-Start: $all
linux/openmediavault/automount_luks_with_remote_key.txt · Ultima modifica: 2021/01/02 11:16 da fabiusx