Hallöchen,
da ich für das englischsprachige QNAP-Forum eine Anleitung erstellt habe, möchte ich diese auch hier posten, da schon öfter gefragt wurde, wie man Schlüssel/Passwort an anderen Stellen als auf dem Gerät selbst speichern kann. Zum Übersetzen ist es mir jetzt etwas zu lang, aber ich denke, die meisten können ausreichend Englisch, um zu folgen. Natürlich kann man die einzelnen Elemente der Anleitung auch für andere Einsatzzwecke als verschlüsselte RTRR-Backups nutzen.
Grüße,
Marky.
-------------------------------------------------------
Hiya,
after spending hours on getting this to work, I decided to put together a quick tutorial on how you can mount encrypted volumes with a keyfile that is not stored on the NAS itself. Most of the information that is needed to do this is spread across this forum, the German forum and some other sites.
First, let me outline my current configuration and what it does:
Setup:
- NAS Main Server, encrypted file system, has to be manually entered after boot. Never powered down, used as main server on the network.
- Backup NAS, encrypted file system, auto-mounted after boot. Usually powered off, wakes up once a week to do an rtrr-backup of the main server.
The main point is that the keyfile to mount the Backup NAS is not stored on the Backup NAS itself, but on the Main Server, so if the main server is powered down, the Backup NAS' encrypted volumes won't be mounted automatically (of course you can do so manually through the Web-GUI). I still wonder why QNAP won't allow useres to utilize keyfiles on a remote share or USB device, but anyhow, here's how to do it.
The following steps are a brief summary on what you have to and require some proficieny.
1.) Create Keyfile
The first thing you do is create a keyfile. SSH into the NAS you want to mount automatically and create it:
storage_util --encrypt_pwd pwd=YOUR_PASSWORD > /tmp/keyfile.keywhere
YOUR_PASSWORD is the password you use to mount your encrypted devices on the NAS
The result will be an encoded keyfile which will later be used to automount the volumes. Please note that this keyfile is not identical to the keyfile you can download with the storage manager's download-function!!! It contains your Password in encrypted form.
Make sure your keyfile does not have linefeed at the end of the password. Load it into vi or use Windows notepad to make sure.
2.) Copy Keyfile to secure Location and create Backup User
The next thing you want to do is copy the keyfile you just produced to its final destination. The safest place in my opinion is the Main NAS, which can only be decrypted by manually entering the password after boot.
So what you want to do is create a share, e.g. "BackupMount" on your Main NAS and copy the keyfile into this share.
Next you want to create a user that will later access the keyfile on your Main NAS to mount the encrypted volumes on your Backup Nas. In this example, we'll create a user called "BackupNAS". Make sure the password for this user is absolutely unique. This password should not be identical to any password used to decrypt volumes or gain access rights to your NAS because this will later be available in plain text to possible intruders!!! In this example, this password is USERPASS.
Limit access for this user to the share which holds the keyfile. This should be the only share with access rights for this user (Read-Only is enough). Do not grant access to this share to any other users on the NAS.
3.) Write automount-script
The next thing to do is create an automount-script that will later be called on system startup on the Backup-NAS.
In this example it would look like this:
#!/bin/shmkdir /keylocationmount.cifs //192.168.0.5/BackupMount /keylocation -o username=BackupNAS,workgroup=WORKGROUP,password=USERPASScryptsetup -v luksOpen /dev/mapper/cachedev1 ce_cachedev1 --key-file=/keylocation/keyfile.key --key-slot 0mkdir /share/CE_CACHEDEV1_DATAmount -t ext4 /dev/mapper/ce_cachedev1 /share/CE_CACHEDEV1_DATA//etc/init.d/init_lvm.shwhere
192.168.0.5 is the IP-Adress of you Main NAS (the place you stored the keyfile on)
BackupMount is the share you created on this device and stored the keyfile in
BackupNAS is the username you created on this device and
USERPASS is the password for this user
keyfile.key is the keyfile you created in step 1
WORKGROUP of course is the workgroup name of your samba network.
In this example, we'll call the script automount.sh
Again, make sure your script does have correct linefeeds. Either load it in vi or edit it on Windows, but make sure it's properly formatted afterwards. If you're unsure if it's okay, use dos2unix (download from sourceforge) to make sure it's properly formatted.
4.) Copy automount-script on persistent device
As we want to execute this script on startup later, it's important that you store it on a device that is not replaced by flash-memory after reboot. The best option is a USB-Stick, as you can quickly pull it out if you don't want your device to be automatically decrypted for whatever reason.
So put the USB-Stick into your Backup-NAS and format it with ext4. Otherwise you might have problems with making the script executable.
Copy the automount-script on the USB-Stick. Again: Make sure it's properly formatted for linux (see above).
ssh into your Backup-NAS and find the USB-Stick first (it's in /share/external/). Note the device name of the USB-Stick. You will need it later.
Make the script executable using
chmod +x automount.shYou might now want to test the script. Please note:
- the script can't be executed from the current directory, so "automount.sh" won't work. Use "./automount.sh" to test it.
- the last step in the script might take a while (2-3 minutes) smoke a cigarette or have a cup of coffee in the meantime. Don't lose patience.
5.) Setting up auto-execution of the script
Now this is a little bit dirty, but it's what I found and it works although I don't really like its implementation.
Go to /etc/conf/
Edit the file "qpkg.conf"
Append the following section:
[CryptMount]
Name = CryptMount
Version = 0.1
Author = marky
Date = 2016-01-01
Shell = /share/external/DEV3301_0/automount.sh
Install_Path = /share/external/DEV3301_0
Enable = TRUEwhere
DEV3301_1 ist the device name of the USB-Stick you noted above
As you can see, most of the information is unimportant, only Shell and Install_Path are relevant.
6.) Final check.
Now you can reboot your Backup-NAS and be patient. After some time you will be able to access all shares and even store manager will show the volume with an open lock.
Of course it's up to you what to do next, set up a time schedule for unattended backups with no need for interaction or just adjust the procedure to your needs.
That's it for now, I'm sure I forgot something, but it's quite a longish procedure to describe.
Enjoy,
Marky.
