Published Sun 27 January 2019 by Daniel W
One function of unraid that I really enjoy is the ability to configure individual drives in the array with full disk encryption. This encrpytion method is always recommended if you are storing files long term that you wouldn't want the general public to have access to.
If you were to be robbed, and your server stolen - unless you had full disk encryption in place the files on that server would be accessible to anyone. With the disk encrpytion in place, everything operates as normal, except for the fact that you need to enter your decryption password in the web-interface when the server has booted up. Whilst this is a minor inconvenience, it's one that is easily worked around with a little bit of effort.
I have set up my Unraid server to automatically pull down the decryption key, from the Amazon Web Services (AWS) product called 'Secrets Manager'. This product traditionally is used for storing credentials within the AWS ecosystem, however using the aws cli it can be used to store plaintext values such as the decryption key for use in other applications.
Setting this up is very easy, and only takes about 10 minutes to complete. The monthly cost for storing 1 secret is currently $0.40AUD which makes this a very economical solution long term.
By using this method; if your Unraid server is removed from it's current location and started up elsewhere (assuming that you chose to restrict the IAM user IP) - the array will fail to decrypt as the IP address the AWS CLI request is originating from will be different to the allowed value. Only returning the server, updating the AWS IAM policy, or providing the key will allow the array to boot.
Inspiration for this process was the great tutorial available by Spaceinvader One on YouTube and I'd highly recommend watching some of his other videos as well.
From the console, use the search box to find 'Secrets Manager. Click on 'Store a new secret', and then use the wizard to create your key - remember to take note of the key/value pair when creating the key and also to ensure there are no typos. Use the screenshots below to guide you if needed.
Click on your newly created secret, and make a note of the 'ARN' (Amazon Resource Number) - this is the full identifier to this resource and we will need it later.
Give your user a name (not really important, but name it appropriately), and tick 'Programmatic access' then click next.
Click on 'Attach existing policies directly' then 'Create policy' and a new window will open. In this new window choose the following options then click 'Review policy', give the policy a name and click 'Create policy':
Request conditions: 'Source IP' (add your public IP address)
With the IAM policy created, close the window and refresh the 'Add user' wizard, and select your new policy.
From the Unraid web GUI, click on 'Plugins' then 'Nerd Tools'. If you don't have Nerd Tools already, you can install it from the community applications module. If you don't have that either, there are plenty of guides to help you install that first.
Use the search box on the Nerd Tools page to find
jq-onig, flick both to 'On' and click apply.
pip3 install awscli --upgrade --user. This package will be installed to
/root/.local/bin/awsbecause we specified the
--userflag. This directory also isn't included in our
$PATHby default, but for this use-case it's not necessary to fix that.
/root/.local/bin/aws configureand follow the prompts, providing your AWS credentials from earlier.
/root/.local/bin/aws secretsmanager get-secret-value --secret-id <<YOUR-ARN-HERE>> --query SecretString | jq -r ".key"
If all went well, then the decryption key that you recorded in the secrets manager will be output to the screen - hurray!
The last step is to edit your servers 'go' file, which is executed upon startup - use whichever method you wish (via SSH and nano/vim or over the network) and add the following:
/root/.local/bin/aws secretsmanager get-secret-value --secret-id <<YOUR-ARN-HERE>> --query SecretString | jq -r ".key" >> /root/keyfile
<<YOUR-ARN-HERE>> with your real ARN (ie. arn:aws:secretsmanager:ap-southeast-2:61...:secret:unraid-keyfile...) and save the file. The contents of this file will be executed when your server next starts up, and the decryption key will be downloaded automatically - then output as the keyfile.
When that process finishes executing, your server's array should start up. If you ever want to remove this functionality simple comment or remove the line in the go file.