47 lines
1.5 KiB
Markdown
47 lines
1.5 KiB
Markdown
# truenas-kmip-unlocker
|
|
Encrytped secrets are stored within the secrets.config file.
|
|
|
|
**This will work with native zfs encryption but it will only unlock the top encrypted dataset and the children must be encrypted with the same passphrase. This continues to support GELI encrpyted pools.**
|
|
|
|
#### Install pyKMIP on the computer
|
|
```shell
|
|
pip install pykmip
|
|
```
|
|
|
|
#### Setup the PyKMIP.conf file
|
|
A sample file is inlcuded [here](pykmip/client.conf.sample) and sould be used a base. Please copy the file (removing the .sample) and change the variables, the cert paths will need to absolute.
|
|
```ini
|
|
[client]
|
|
host=127.0.0.1
|
|
port=5696
|
|
certfile=/root/kmip.crt
|
|
keyfile=/root/kmip.key
|
|
ca_certs=/root/kmip.crt
|
|
cert_reqs=CERT_REQUIRED
|
|
ssl_version=PROTOCOL_TLS
|
|
do_handshake_on_connect=True
|
|
suppress_ragged_eofs=True
|
|
```
|
|
|
|
#### Encrypt your secrets
|
|
* Encrypt your api key for truenas
|
|
* Encrypt the passphrase for your pool/dataset
|
|
* Select jail storage pool
|
|
* Encrypt your remaining pool/dataset passphrases as needed
|
|
|
|
Run the following command to configure your API, jail storage pool, and pool names and passphrases.
|
|
```shell
|
|
python truenas-kmip-unlock.py --config
|
|
```
|
|
|
|
#### Create Task
|
|
Create a PostInt task that will call this script to unlock the drives
|
|
```shell
|
|
python /root/truenas-kmip-unlocker/truenas-kmip-unlock.py
|
|
```
|
|
|
|
#### Debugging
|
|
Nothing is logged to a file for this. Everything is output to the console. To enabled debug mode, pass the **[-v|--verbose]** argument when running the command.
|
|
```python
|
|
python /root/truenas-kmip-unlocker/truenas-kmip-unlock.py --verbose
|
|
``` |