-
Notifications
You must be signed in to change notification settings - Fork 3
Home
Some thoughts about what's missing, and what to add next:
-
Support for keyfilesDone (v2.0) - Use crypttab to enable unlocking at boot (will require keyfile)
-
Backing up and restoring headersDone (v1.1) - Monitoring/notification to warn if a referenced device is not unlocked at boot?
- Locales/translations for languages other than English. (Ongoing/in progress)
Passphrases are passed through from the WebGUI in plain text, so are visible in the debug output from omv-engined and perhaps might show up in log files? Also, care should be taken with insecure (plain HTTP) browsing sessions. Key files can also be uploaded, again these are passed in the clear across the network. They are then also stored on disk (in /tmp) by PHP temporarily. We can ameliorate some security issues here by securely destroying the temp file when we're done with it, but it might also be useful to make /tmp a tmpfs device in RAM.
Thinking about how this would work: you could overwrite the header for an existing LUKS device, which would fix, e.g. damaged keyslots, but if the header itself was completely damaged (or non-existent), the device would not show up in the list of containers, therefore, how to restore the header? Currently the workaround is that the user would create a new LUKS device and then overwrite that header with the backup.
http://forums.openmediavault.org/index.php/Thread/11674-openmediavault-luksencryption/
http://forums.openmediavault.org/index.php/Thread/11592-LUKS-disk-encryption-plugin