LUKS encryption plugin

[subzero79]

I just saw your guide in the forum, i ended up here.

Like two months ago i did some sort of enhancement of the luks encryption plugin. The source is here

https://github.com/subzero79/openmediavault-luksencryption/tree/advsettings

This was based on this work

https://blog.iwakd.de/headless-luks-decryption-via-ssh

What this fork of the plugin does:

• Allows you to activate a before-decrypt target, where only basic services (including ssh will be running)
• Includes a decrypt drives script to be run. The script will prompt for password for the drives. Another option is two give a secondary drive (with keyfiles) to use for auto-decrypting. If the key disk is encrypted then you will need to log into ssh to run it as it will prompt for the password of the disk.

Feel free to test it or add more features.

The plugin does some heavy interventions in the /etc/fstab and db omv lines to work properly, especially if the before-decrypt target is activated. It will add noauto,nofail as this essential to not delay boot. Also deactivates sharedfolders systemd units.

The fstab drives and sharedfolders units are mounted once the drives are decrypted and multi-user target reached (just look at mkconf/luks.d/03systemd folder). The idea of the plugin was not to boot omv and have numerous services failing to start because the un-decrypted drives were not available.

This plugin doesn't handle the rootfs encryption. If you think you can add the feature somehow let me know

[gandalfb]

Thank you for your insights. With focusing on data encryption your approach seems very good. I do have docker data on root device which makes me want to encrypt this as well. snapraid, mergerfs is not working on Docker (disk I/O errors)

Have you tried to get this as a pull request into the official plugin? As you mentioned your heavy interventions might have other implications which would be addressed?

[subzero79]

haven't tried as PR request yet. This is because in the forum luks thread i offered to test it no one showed interested but i know there is an issue using encrypted disks in omv, especially related to services.

The heavy intervention is done properly IMO, first adding the parameter to the fstab db (via omv-confdbadm), then regenerating fstab. These interventions can be reverted as the mkconf script also removes the noauto from db and fstab when the decrypt target is deactivated.

[gandalfb]

I would vote for it :-) Maybe search optimize the thread. I did not recognize this as relevant during research.

The easy usage of encryption is something that should be taken care of. IMHO

[subzero79]

Sorry my mistake, it was the docker plugin cleanup i offered, is also in my github.

The idea came after discussing the issue in this thread

https://forum.openmediavault.org/index.php/Thread/18158-LUKS-KeyFile-AutoMount-SOLVED/?pageNo=1

But i haven't yet asked for testing.