Truecrypt and user shares?


TXFI

Recommended Posts

I'm an unRAID newbie and have never used Slackware so this is all kind of new to me and am looking for some help. Anyway, I just finished installing the HW and SW (v4.4) for my new unRAID server today and as I was kind of missing encryption I decided to see what could be done about it. Apparently Truecrypt seems to work well with unRAID. After a couple of hours of fiddling with the package manager, kernel config etc. I'm currently able to do the following within unRAID console using native tools:

 

- create encrypted volumes (create a TC container to e.g. /mnt/disk1/crypt-01)

- mount encrypted volumes (mount to e.g. /crypt/crypt-01)

- share encrypted+mounted volumes via e.g. CIFS (e.g. \\my-unRAID\crypt-01)

- reading and writing from/to encrypted+mounted volumes via the CIFS share from another host (tested only Linux and Windows XP so far)

- unmount volumes

 

I haven't started to look into mapping encrypted+mounted volumes to user shares. I don't have too much time to dedicate to this project since my initial design goals are working (fault tolerance and encryption) but it would be nice to get the user shares working. It would be great if you could give me some pointers on how to get started, I'm kind of feeling lazy and don't feel like figuring it out myself (at least not this week).

 

The other thing I might do is use ntfs3g instead of reiserfs to format the container. That should enable me to mount the container over the network using Windows Truecrypt without the not-so-conveinent reiserfs drivers, in case I would ever want to mount the container remotely (unlikely). I don't see this as a big issue as I can just mount the container within unRAID and share it to Windows - if in an emergency I'd need to connect a unRAID drive to Windows I'd need the reiserfs driver anyway to read the file system hosting the container. Any thoughts on this?

 

Btw, here's a link to where I show off my new server: http://lime-technology.com/forum/index.php?topic=2031.msg24317#msg24317

 

Tom - thanks for a great product. Everyone else - thanks for a great forum.

Link to comment

well this certainly turned out to be easier than I thought - just by symlinking the directories inside the encrypted containers to /mnt/disk*/ made the user shares work just fine. I disabled disk shares so that the container files aren't accessible from the network and since symlinking worked so well I don't have to create the shares to my files manually. All in all, I now have a fault tolerant, encrypted storage server that consolidates views of my data from all the encrypted+mounted containers into user shares. In case someone ends up stealing my server, all they'll find are 4 x 1.45 TB files full of gibberish ;-)

 

No wonder you guys like unRAID so much!

Link to comment
  • 2 weeks later...

well this certainly turned out to be easier than I thought - just by symlinking the directories inside the encrypted containers to /mnt/disk*/ made the user shares work just fine. I disabled disk shares so that the container files aren't accessible from the network and since symlinking worked so well I don't have to create the shares to my files manually. All in all, I now have a fault tolerant, encrypted storage server that consolidates views of my data from all the encrypted+mounted containers into user shares. In case someone ends up stealing my server, all they'll find are 4 x 1.45 TB files full of gibberish ;-)

 

No wonder you guys like unRAID so much!

 

Care to write this up in a bit more detail (specifically your steps to get TC up and running?). This is *exactly* what I'd be wanting to do as soon as I build an unraid server imminently. Native encryption is the only feature unraid is missing as far as I'm concerned.

 

Are you just creating a 1.5TB container file on each disk? or are you actually creating creating an encrypted raw partition with truecrypt and then letting unraid format it as reiser? (note : never used truecrypt under unix so not sure if this is possible).

 

Also if you are creating 1.5 (ish) TB container files per disk - how much 'slack space' have you got left per disk at the end? or have you managed to make each container precisely fit the disk?

 

How are you handling mounting of the containers at boot up?

 

Top work!

Link to comment

boof: I have a draft of my install notes, which I need to clean up so that someone else could understand it, too. Hopefully I can get to that after I get vmware and jungledisk (waiting for 2.50 final) running OK. Now that the holidays are over I have far less time to dedicate to this, though.

 

In order to get it to work, I had to compile a custom kernel with modified makefiles to enable unRAID and dm-mod at the same time. Then I just created the container files into /mnt/disk?/, thus enabling unRAID to manage parity as it's just files, even though they are 1.34 TB each or so. I wanted to leave a little bit of space on each disk - they have 800 MB free space/each. If I wanted to fill the disks completely, it would be just a matter of increasing the size when creating the TC containers.

 

I install all the necessary libraries etc. and mount the drives after unRAID has finished booting with a custom shell script. If I wanted I could just call it with the "go" script/embed it into the "go" script and have it do everything at boot (or just install all the stuff into the bootimage). However, I never enter my TrueCrypt passwords using anything but a wired keyboard at local console so manually running the mount script was a design decision for me, not a missing feature.

 

----

 

Bubbaq: Yeah, symlinking turned out to be a bad idea. Instead I just mount the containers to another root folder, have turned off all unRAID shares and just share the stuff as I please via smb.shares. Seems to be working well and fast (initial test results were about 50MB/s from encrypted unRAID to my Vista box).

 

Link to comment
  • 8 months later...

What is the point of sharing an encrypted file system?

Would it not be better to simply mount the truecrypt file when needed?

Can you not do multiple mount (2 workstations ) at the same time, on the same file?

I thought you could. I can maybe test that. I use truecrypt, but I mount it everytime I need it.

More secure.

Link to comment
  • 2 weeks later...

TXFi,

 

Getting truecrypt working on unRAID is one task I would love to have on my unRAID. I would also like to know some more details on how you have TC working. I'm very new to both unRAID/Linux, but I'm fairly technically inclined. I have some questions that would really help me understand how this works.

 

Did you compile your own Truecrypt source? I figure the ubuntu.tar.gz won't work :) If so, what packages did you need to install & compile? I have compiled some encoding libs (Lame, FLAC) and only needed the following packages installed...

 

installpkg binutils-2.18.50.0.9-i486-1.tgz

installpkg cxxlibs-6.0.8-i486-4.tgz

installpkg gcc-4.2.4-i486-1.tgz

installpkg gcc-g++-4.2.4-i486-1.tgz

installpkg glibc-2.7-i486-17.tgz

installpkg kernel-headers-2.6.27.7_smp-x86-1.tgz

installpkg make-3.81-i486-1.tgz

 

Also, what files are needed to be copied to unRAID system paths (if any) after booting for TC to work?

 

I currently have a whole disk encrypted on my XP machine. I don't feel its necessary to have the encrypted drive added to the array (since I back it up nightly). Can I plug the NTFS encrypted HD on a free SATA slot and have TC mount the encrypted drive though a putty session? Would I need to format the drive or could I use the ntfs-3g-2009.3.8-i486-1.tgz (NTFS read/write filesystem driver) to read the data?

 

If the above works, what would be needed to access the encrypted drive on a network?

 

I hope TXFI responds since this thread was originally started 10 months ago  ???

 

 

 

Link to comment
  • 2 weeks later...

I've been running my Truecrypt unRAID for 10 months now and it is 100% stable and reliable. I have five 1.5 TB containers formatted with RaiserFS, which I mount with a shell script at boot (truecrypt /mnt/disk1/data-01 /data/data-01). I would imagine I could use an NTFS container, too, if I loaded NTFS-3G but since I have no need for it, I haven't tried it. All the necessary packages are installed from /boot/custom prior to mounting by the same script, including the TrueCrypt binary (which I downloaded from repository.slacky.eu along with all the other packages). To share the encrypted data from mount points I have my own smb.conf and smb.shares, which are copied and enabled (smbcontrol smbd reload-config) at boot as well. Since I never stop the array, Bubba's concern about smb.shares getting overwritten is not a problem for me.

 

The key to get all this working was a custom kernel and modified source files, which I had to build using a full Slackware distro. It's been a while now so I don't exactly remember what I had to change but kapperz's error message about device-mapper missing from the kernel sounds very familiar.

 

To smino's point, the reason is that I consider my network to be fairly secure. If, however, someone would e.g. steal my server he wouldn't be able to read the data in the encrypted containers (without torturing the passwords out of me or cracking the encryption, in either case I'm likely to be dead. Or maybe use a cold boot attack or a (remote) keylogger).

Link to comment

Thanks TXFI for replying. You seem to have a lot of customization for TC to work. I've been looking into if I can use /proc/misc to get around having to compile my own kernel. Which I have no idea how to do (me = linux n00b).

 

(which I downloaded from repository.slacky.eu along with all the other packages)

 

What other packages did you need?

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.