jgaunt/truenas-kmip-unlocker
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
36 Commits 6 Branches 0 Tags
f30f7ab9ca9f7f7294ab1f44da6af3bed3afd67c
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
jgaunt f30f7ab9ca Revert to v1.0 since we back on 11.3U4.1
2020-08-03 10:36:25 -04:00
.gitignore
Update '.gitignore'
2020-08-02 17:01:11 -04:00
config.ini
Update 'config.ini'
2020-08-02 19:47:25 -04:00
LICENSE
Add 'LICENSE'
2020-08-02 14:26:03 -04:00
README.md
Update 'README.md'
2020-08-02 23:02:56 -04:00
truenas_kmip_unlock.py
Revert to v1.0 since we back on 11.3U4.1
2020-08-03 10:36:25 -04:00

README.md

truenas-kmip-unlocker

Configuration variables are changed within the config.ini file.

This doesn't with the ZFS encryption. This only works with GELI encrpyted disks right now. This is a limitation of the TrueNAS Beta right now. I was wrong but it seems like the pool/dataset/encryption_summary isn't working so I'm not about to get a good idea about the differences. pool/dataset/id/media gets my information but I need more time to look at it and compare it to pool/dataset/id/temp. On top of that I can't remember but I thought the pool/unlock didn't work with th zfs encryption on temp.

Install pyKMIP on the computer

pip install pykmip

Setup the PyKMIP.conf file

I store my file at /etc/pykmip/pykmip.conf and below is the example file. The host should be changed to your pykmip host and the cert locations updated.

[client]
host=127.0.0.1
port=5696
certfile=/root/kmip.crt
keyfile=/root/kmip.key
ca_certs=/root/kmip.crt
cert_reqs=CERT_REQUIRED
ssl_version=PROTOCOL_TLS
do_handshake_on_connect=True
suppress_ragged_eofs=True

Encrypt your encryption passphrase

Run the following command to encrypt your passphrase, it will ask for you passphrase and to confirm it before outputting the encrypted passphrase. Take the encrypted passphrase and create a new section in the config ini file. The section name will be the pool name and the only key in that section is the encrypted_key which will be this value.

python truenas-kmip-unlock.py --encrypt

Create Task

Create a PostInt task that will call this script to unlock the drives

python /root/truenas-kmip-unlocker/truenas-kmip-unlock.py

Debugging

Nothing is logged to a file for this. Everything is outputted to the console. If the debugging level is set to DEBUG, all passphrases will be outputted in plain text. This is to ensure the decryption is working correctly. To enabled debug mode, change the line below to DEBUG instead of INFO

logger = utils.build_console_logger(logging.INFO)
Description
No description provided
Readme MIT 487 KiB
Languages
Python 100%