Skip to content

Instantly share code, notes, and snippets.

@LeonStoldt

LeonStoldt/auto-unlock-array.md

Last active November 10, 2022 14:02
Show Gist options
  • Save LeonStoldt/51baa2ba2b879254cf5f50d381264bcc to your computer and use it in GitHub Desktop.
Save LeonStoldt/51baa2ba2b879254cf5f50d381264bcc to your computer and use it in GitHub Desktop.
Download ZIP
Unraid array auto startup with keyfile exchange for decryption
Raw
auto-unlock-array.md

Unraid array auto startup with keyfile exchange for decryption

Warning: I am not an Unraid Expert an my Knowledge of auto array startup decryption and Unraid events depends on the mentioned article below and some StackOverflow entries. This configuration and settings might not be the most secure settings you can apply for this scenario. It works for me for now and I am still learning and improving my setup. The configuration is oriented to the suggestes way of an Unraid Community developer combined with try-and-error of myself.

tested Unraid Versions 6.8.x, 6.10.x and 6.11.x - it should work with Unraid Versions >=6.4 Use Case: decrypt HDD in array by exchanging keyfile from another Unraid server in the same network. File to change: /boot/config/go (on the system where you want to decrypt HDD)

Prepare the Unraid Server with keyfile

  1. create a new share and make it available (export=true, security=public) - might work with lest privileges
  2. create a keyfile (which can be everything AFAIK) and place it in the share you created
  3. create a new user and provide a secure password
  4. under Settings > FTP Server - enable the FTP Server and enter your ftp user you created

Modify /boot/config/go

nano /boot/config/go

Edit this file to look something like this:

#!/bin/bash
# auto unlock array by making use of events to fetch keyfile and delete it after decryption
mkdir -p /usr/local/emhttp/webGui/event/starting
mkdir -p /usr/local/emhttp/webGui/event/started
mkdir -p /usr/local/emhttp/webGui/event/stopped
cp -f /boot/custom/bin/fetch_key /usr/local/emhttp/webGui/event/starting
cp -f /boot/custom/bin/delete_key /usr/local/emhttp/webGui/event/started
cp -f /boot/custom/bin/fetch_key /usr/local/emhttp/webGui/event/stopped
chmod a+x /usr/local/emhttp/webGui/event/starting/fetch_key
chmod a+x /usr/local/emhttp/webGui/event/started/delete_key
chmod a+x /usr/local/emhttp/webGui/event/stopped/fetch_key
# Start WebGUI
/usr/local/sbin/emhttp &

The use of Unraid events is explained in this post: https://forums.unraid.net/topic/61973-encryption-and-auto-start/?tab=comments#comment-648148

Create fetch_key file

To create the fetch_key file, run the following commands:

mkdir -p /boot/custom/bin/
nano /boot/custom/bin/fetch_key

and paste the following code if you want to fetch the key by sftp:

In case you want to fetch the key by another method - you need to change the fetch_key script.

Method 1: mount your keyfile

#!/bin/bash

if [[ ! -e /root/keyfile ]]; then
  mkdir -p /unlock
  mount -t cifs -o user=name,password='password',iocharset=utf8 //192.168.1.99/index /unlock
  cp -f /unlock/keyfile /root/keyfile
  umount /unlock
  rm -r /unlock
fi

Method 2: fetch your keyfile by wget

#!/bin/bash

if [[ ! -e /root/keyfile ]]; then
  wget --ftps-implicit --user=name --password='password' ftp://url_or_IP>/files/keyfile -O /root/keyfile
fi

If it doesn't work with --ftps-implicit, try without --ftps-implicit flag.

remember to exchange "name", "password" and "url_or_IP" by correct values make sure your file you want to access (keyfile on source system) has the needed permissions to be read by your target system check permissions with stat filename for testing purposes you can grant all rights to this file temporarely chmod 777 filename

Create delete_key file

To create the delete_key file, run the following commands:

nano /boot/custom/bin/delete_key

and paste the following code to delete the keyfile:

#!/bin/bash

rm -f /root/keyfile

Helpful articles

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment