LeonStoldt/auto-unlock-array.md

## auto-unlock-array.md

      
    Raw
  

              auto-unlock-array.md
            
          
    Unraid array auto startup with keyfile exchange for decryption


Warning: I am not an Unraid Expert an my Knowledge of auto array startup decryption and Unraid events depends on the mentioned article below and some StackOverflow entries.
This configuration and settings might not be the most secure settings you can apply for this scenario. It works for me for now and I am still learning and improving my setup.
The configuration is oriented to the suggestes way of an Unraid Community developer combined with try-and-error of myself.


tested Unraid Versions 6.8.x, 6.10.x and 6.11.x - it should work with Unraid Versions >=6.4
Use Case: decrypt HDD in array by exchanging keyfile from another Unraid server in the same network.
File to change: /boot/config/go (on the system where you want to decrypt HDD)

Prepare the Unraid Server with keyfile


create a new share and make it available (export=true, security=public) - might work with lest privileges
create a keyfile (which can be everything AFAIK) and place it in the share you created
create a new user and provide a secure password
under Settings > FTP Server - enable the FTP Server and enter your ftp user you created

Modify /boot/config/go

nano /boot/config/go
Edit this file to look something like this:
#!/bin/bash
# auto unlock array by making use of events to fetch keyfile and delete it after decryption
mkdir -p /usr/local/emhttp/webGui/event/starting
mkdir -p /usr/local/emhttp/webGui/event/started
mkdir -p /usr/local/emhttp/webGui/event/stopped
cp -f /boot/custom/bin/fetch_key /usr/local/emhttp/webGui/event/starting
cp -f /boot/custom/bin/delete_key /usr/local/emhttp/webGui/event/started
cp -f /boot/custom/bin/fetch_key /usr/local/emhttp/webGui/event/stopped
chmod a+x /usr/local/emhttp/webGui/event/starting/fetch_key
chmod a+x /usr/local/emhttp/webGui/event/started/delete_key
chmod a+x /usr/local/emhttp/webGui/event/stopped/fetch_key
# Start WebGUI
/usr/local/sbin/emhttp &
The use of Unraid events is explained in this post: https://forums.unraid.net/topic/61973-encryption-and-auto-start/?tab=comments#comment-648148
Create fetch_key file

To create the fetch_key file, run the following commands:
mkdir -p /boot/custom/bin/
nano /boot/custom/bin/fetch_key
and paste the following code if you want to fetch the key by sftp:

In case you want to fetch the key by another method - you need to change the fetch_key script.

Method 1: mount your keyfile
#!/bin/bash

if [[ ! -e /root/keyfile ]]; then
  mkdir -p /unlock
  mount -t cifs -o user=name,password='password',iocharset=utf8 //192.168.1.99/index /unlock
  cp -f /unlock/keyfile /root/keyfile
  umount /unlock
  rm -r /unlock
fi
Method 2: fetch your keyfile by wget
#!/bin/bash

if [[ ! -e /root/keyfile ]]; then
  wget --ftps-implicit --user=name --password='password' ftp://url_or_IP>/files/keyfile -O /root/keyfile
fi
If it doesn't work with --ftps-implicit, try without --ftps-implicit flag.

remember to exchange "name", "password" and "url_or_IP" by correct values
make sure your file you want to access (keyfile on source system) has the needed permissions to be read by your target system
check permissions with stat filename
for testing purposes you can grant all rights to this file temporarely chmod 777 filename

Create delete_key file

To create the delete_key file, run the following commands:
nano /boot/custom/bin/delete_key
and paste the following code to delete the keyfile:
#!/bin/bash

rm -f /root/keyfile
Helpful articles


https://forums.unraid.net/topic/61973-encryption-and-auto-start/