-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
unable to unlock disks #20
Comments
If the drives are unlockable vía the gui, you can try in terminal first. monit stop openmediavault-engined Then go to the ui and unlock the drive, the password should be in clear text in the console that the backend is applying to unlock the drives. |
Hi, Thanks for your answer. I can unlock via the gui. Apparently I'm not using the version of OMV that you expected as I get those error :
|
sorry is monit stop omv-engined |
Thanks, I was able to get a password this way:
The "problem" in somepass seems that all the \ and / are escaped compared to my original password. However when I try to use this in the GUI to add a new key or to unlock with the CLI. The problem persist. |
So your pass phrase contains slashes and backslashes? I’ll try to reproduce it in 3.x and 4.x. But to be honest is unlikely we push a fix for 3.x because is EOL. |
Yes it does contain them. I'm not going to publish it here but you can assume it contain all special character one might encounter, I just generated one long passphrase with keepass. It is pretty problematic and a warning/solution should be shown to users before a fix is pushed. If not retro-compatible it will makes datas unrecoverable. |
I can reproduce the problem, but only with very large passwords. Cryptsetup (i know now) has a hardcoded limit of 512 characters for interactive passwords. Is your password longer than that? Other tests using strings with slashes and other characters show me no problem in between console and UI. What is not clear is what happens when you format with a longer password, cryptsetup just cut the string to 512? As for using keyfiles i know there was an issue but i pushed a fix for that long time ago for 4.x |
The password is around 60 char, nothing crazy like 512. List of special char used by keepass, if that's of any help.
I created the volumes a year ago, so that might have been fixed meanwhile? Do you have any solution to get the "true" password? Or should I find a way to backup my data and reformat the drives? |
No, you can't get the luks password. No need to reformat either. Just set a different password or use a file in a different slot then delete the slot with the strange password. If you really want to use such a complex password, why not use a file? |
Unless I'm mistaken i cannot do that: on cli I can't add a new passphrase slot without knowing the previous one. And on the GUI I get the above mentionned error :
60char is not "complex" and I decided to not use a file because it would mean having the passphrase unencrypted on some drive at some point. I would rather have everything in a password manager. |
I did try before attempting 512+ char string a 32 char string with several non alpha chars and it worked. I’ll try later on with 60chars and those characters you’re mentioning here. If I am not mistaken you should be able to add another simple passphrase in the ui, then with that pass phrase add a key file in cli. There was a bug with the key files in the plugin, @ryecoaaron do you know if that was documented in the forum or here ? |
@chmol I'm not sure how you think a 60 char password with lots of special symbols not a complex password... The reason I mentioned using a file was because you said you could backup your data. You have no way to backup your data if you can't unlock the device. @subzero79 I don't remember where it was. I think if you used a password for the main slot and then tried to add a key file, it had a problem. If you add the key file first, then you were ok. You fixed that though. |
I grab all those characters, smashed the keyboard for some random alphanumeric characters, added through the UI, then unlocked it interactively with the terminal no issue.
However if you attempt to unlock in CLI via stdin the single quote in the middle escapes so i have to double wrap it, like this
I don't know why it doesn't complain when executing this command in the backend. |
@ryecoaaron I can unlock the device but only trough the GUI where some magical black boxtransformation happened. So backup is not a problem per se, I just don't have the space to do so on other drives. The real issues is long term: I have no idea what the passphrase is and any update in the plugin might render the current situation invalid. Moreover, I might not be the only user experiencing this. @subzero79 I tried escaping in stdin and "regular" mode. No luck. I can still perfectly unlock via GUI. I'll be afk for a few week but I hope you will still be available to help after. Thanks for the time you took on this. |
@chmol if you can unlock the device from the web interface, you must know the passphrase and you can add another passphrase in another slot. Then you can delete the passphrase in the first slot with the new passphrase. As for "fixing" the plugin so you can use it from the command line, I don't think the plugin is the problem. It properly escapes all characters and this can be difficult to do from the command line. |
I'm sorry it doesn't work see: #20 (comment) |
@chmol try this nano +458 /usr/share/php/openmediavault/system/storage/luks/container.inc before
Now run again omv-engined -d -f You should see the exact command using echo that the backend is using to unlock and decrypt the drive, if there are single quotes inside the password will get escaped by the php process class i believe. This is what i saw using the password i mentioned above notice how the single quote gets escaped differently from what i did before. |
After you have working command, you can add a keyfile in terminal to a second slot. |
Hello, I've just copy pasted the command shown in the omv-engined ouput:
or
Both fail :/ ps: nice editor trick to add +linenumber :) |
Hello, same problem here. My password contains the % character, which might cause a problem. I set the password using the Web UI when encrypting the disk and I can unlock the encryption successfully using the Web UI. I got the command printed during unlock as described in subzero79's comment and the password is shown there as expected (My%Password). But when I use the TEST or ADD KEY functionality in the encryption UI, I get something like: The % character and the next character is missing: My%Password --> Myassword |
This not a trivial bug people, you should remove this plugin from the repo until fix as it might lead to lost data... |
@chmol simmer down. More people would lose data without the plugin since they don't know how to use cryptsetup. And still wondering what/how to fix. single and double quotes generate an error in the web interface. So, a key is not added. Percent is working in my tests. $ works but since anything after the $ evaluates as a environment variable (most likely empty string), your password is whatever is before the $ sign. I guess I could restrict allowing a $ in the password. |
Hello,
I've got a stressful problem with my encryption trough this plugin.
I created a full-disk encryption for my drives and everything is running fine. But I was bored to enter the password trough the gui and wanted to do it trough ssh. I realised none of those command worked:
Maybe a key problem, adding a new key trough GUI create this issues similar to ml1950. My pass is made of 45 random char using all sorts special ones.
So my question is:
What is my password? apparently it was never registered as I saved it probably because of special character in it (or maybe I got the wrong command), how can I unlock those drives through cli and add now key cli or gui ?
Thanks in advance
The text was updated successfully, but these errors were encountered: