jgaunt/truenas-kmip-unlocker
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
61 Commits 6 Branches 0 Tags
4499343e8542b40d17902e063c96952918486c7b
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
jgaunt 4499343e85 Added option to decrpyt
2020-09-05 14:44:18 -04:00
pykmip
Update 'pykmip/client.conf.sample'
2020-08-03 19:01:50 -04:00
.gitignore
Update '.gitignore'
2020-08-03 18:49:48 -04:00
LICENSE
Add 'LICENSE'
2020-08-02 14:26:03 -04:00
README.md
updated links to files in repo
2020-08-03 22:24:05 -04:00
secrets.ini.sample
Update 'secrets.ini.sample'
2020-08-03 19:02:02 -04:00
truenas_kmip_unlock.py
Added option to decrpyt
2020-09-05 14:44:18 -04:00

README.md

truenas-kmip-unlocker

Encrytped secrets are stored within the secrets.ini file.

I reverted the script to make it work with 11.3. I am going to wait until 12 is either RC or released as I had trouble with the new api commands.

Install pyKMIP on the computer

pip install pykmip

Setup the PyKMIP.conf file

A sample file is inlcuded here and sould be used a base. Please copy the file and change the variables, the cert paths will need to absolute.

[client]
host=127.0.0.1
port=5696
certfile=/root/kmip.crt
keyfile=/root/kmip.key
ca_certs=/root/kmip.crt
cert_reqs=CERT_REQUIRED
ssl_version=PROTOCOL_TLS
do_handshake_on_connect=True
suppress_ragged_eofs=True

Encrypt your secrets

  • Encrypt your root password for Freenas
  • Encrypt the passphrase for your pool
  • Encrypt remain pool passphrases as needed

Run the following command to encrypt your secrets, it will ask for you passphrase/password that you want to encrypt and to confirm it before outputting the encrypted passphrase. Take the encrypted secret and create a new section in the config ini file for the pool; your encrtyped root password goes into the DEFAULT section. The section name will be the pool name and the only key in that section is the encrypted_key which will be this value.

python truenas-kmip-unlock.py --encrypt

Create Task

Create a PostInt task that will call this script to unlock the drives

python /root/truenas-kmip-unlocker/truenas-kmip-unlock.py

Debugging

Nothing is logged to a file for this. Everything is outputted to the console. If the debugging level is set to DEBUG, all passphrases will be outputted in plain text. This is to ensure the decryption is working correctly. To enabled debug mode, change the line below to DEBUG instead of INFO

logger = utils.build_console_logger(logging.INFO)
Description
No description provided
Readme MIT 487 KiB
Languages
Python 100%