-
Notifications
You must be signed in to change notification settings - Fork 5
Home
Some thoughts about what's missing, and what to add next:
- Support for editing, i.e. adding and removing passphrases
- Support for keyfiles
- Use crypttab to enable unlocking at boot (will require keyfile)
- Backing up and restoring headers
- Monitoring/notification to warn if a referenced device is not unlocked at boot?
- Locales/translations for languages other than English. This will probably be left for others to contribute...
Ideally the storage device backend (OMVStorageDeviceBackendLUKS) should be registered before the LVM and Device Mapper backends, to enable LUKS containers to appear properly described so (and not as just plain Device Mapper) in, e.g. filesystem creation. Unfortunately this requires editing system.inc.
Passphrases are passed through from the WebGUI in plain text, so are visible in the debug output from omv-engined and perhaps might show up in log files? The plan is to allow keyfiles to be uploaded from the WebGUI; these would be stored on disk (in /tmp?) by PHP temporarily. We can ameliorate some security holes here by securely destroying the temp file when we're done with it, but it might also be useful to make /tmp a tmpfs device in RAM.
Thinking about how this would work: you could overwrite the header for an existing LUKS device, which would fix, e.g. damaged keyslots, but if the header itself was completely damaged (or non-existent), the device would not show up in the list of containers, therefore, how to restore the header? Currently leaning towards a workaround situation, where the user would create a new LUKS device and then overwrite that header with the backup.