jgaunt/FreeNAS-Network-Unlock
Archived
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
This repository has been archived on 2020-09-24. You can view files and clone it, but cannot push or open issues or pull requests.
97 Commits 1 Branch 0 Tags
master
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
jgaunt 95cf687cc7 Update 'README.md'
2020-09-23 21:08:47 -04:00
.gitignore
Update '.gitignore'
2019-11-09 21:11:19 -05:00
config.py
Update 'config.py'
2019-12-25 18:37:28 -05:00
freenas_network_unlock.py
Update 'freenas_network_unlock.py'
2020-03-04 13:08:03 -05:00
LICENSE
Initial commit
2019-11-09 20:28:59 -05:00
README.md
Update 'README.md'
2020-09-23 21:08:47 -04:00
requirements.txt
Add 'requirements.txt'
2019-11-12 16:37:05 -05:00

README.md

This is no longer being used. the KMIP unlocker can be found here.

FreeNAS-Network-Unlock

Configuration variables are changed within the config.py file.

Setup Luks Volume with Recovery Keys

You are responsible for setting up the luks volume and copying the recovery keys to it. You can use the following as a base. Create a 128Mb file containing random data, this will be the file we will encrypt and use to store the keys. This file is way bigger than required, but hey, we might use it for something else later

dd if=/dev/urandom of=~/secure.luks bs=1M count=128

Set this file to be an encrypted LUKS container We will be asked for a passphrase for the encryption. Let's make it long and complicated and we'll use it later to decrypt this volume from FreeNAS

cryptsetup -y luksFormat ~/secure.luks

Let's open our encrypted volume and so we can access it as a device within /dev/mapper We'll need to use our passphrase to open the file

sudo cryptsetup luksOpen ~/secure.luks secure

Now we can create a filesystem within the device

sudo mkfs.ext4 -j /dev/mapper/secure

Create somewhere to mount this filesystem in future

sudo mkdir /mnt/secure

At last, we can mount our encrpyted file system

sudo mount /dev/mapper/secure /mnt/secure

Now you can copy over your recovery keys to the luks volume. The keys will need to be named <POOL_NAME>.recoveryKey

Setup password-less SSH connection

You are responsible for setting up the password-less ssh connection from freenas to the other computer. You can use the following as a base.

# Run ssh-keygen to create the default ~/.ssh/id_rsa ssh key (no passphrase)
ssh-keygen

# Add the public key of this ssh key to the authorized keys of the PI
# We will be prompted to enter the password of the Pi use in order to access the Pi on this occasion, but once the keys are installed on the Pi we won't need to use the password again
cat ~/.ssh/id_rsa.pub | ssh <KEY_HOST_USER>@<KEY_HOST> 'mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys'

# Check that password-less access is working by running
ssh <KEY_HOST_USER>@<KEY_HOST>
# You should be dumped straight to the terminal of the Pi without being prompted for a password. You can now logout of the Pi using:
exit
Description
No description provided
Readme 199 KiB
Languages
Python 100%