Unable to access encrypted external storage

velvetblueeyes · 2023-12-09T07:10:34.127Z

I’m using a GL.inet GL-AXT1800 router with openwrt.
I have an encrypted drive I’d like to plug in and access.
How do I unlock the LUKS key? There’s no pop-up or menu for this, only a “user” passkey which has nothing to do with the drive.
I can see the drive fine and I can access other unencrypted drives fine.
Please help.

admon · 2023-12-09T07:15:59.465Z

Hey there

since accessing encrypted drives on a router isn’t pretty common I would assume you need to go through manual configuration using luci or SSH.

OpenWrt Wiki – 8 May 14

Disk Encryption

Disk Encryption You may want to encrypt your external disk to improve privacy (in case other people have physical access to your router) or so that you can securely reuse the disk later for another purpose if it's flash (see SSDs prove difficult to...

Might help.

velvetblueeyes · 2023-12-09T07:20:31.754Z

Thank you for that link, I already had it open. This page talks about encrypting a drive…mine is already encrypted, I just need a way to access the LUKS key already present and I don’t see a way to do that within the router menu. If I need to tunnel in with ssh or something, I need a guide for that because I have no idea how.

admon · 2023-12-09T07:22:14.243Z

A few lines later the article will talk about decrypting and how to automate it.

Search for

The following script can be used to automate decrypting

velvetblueeyes · 2023-12-09T07:25:17.869Z

Am I supposed to do this on the router somehow or via terminal on my pc?

admon · 2023-12-09T07:28:37.694Z

On the router using SSH.

It will be tricky, it will be dangerous … but that’s what you get when you want to use it.

You should, maybe, test it with a LUKS device without important data.

@bring.fringe18 How would you do it?

bring.fringe18 · 2023-12-09T14:04:26.223Z

admon:

How would you do it?

I wouldn’t. LUKS1 is obsolete & proper LUKS2+Argon2di still isn’t even in mainline Grub for mainline distros. I store at rest via gocryptfs + Syncthing’s ‘untrusted devices’/ encryption option (which also uses gocryptfs).

The underlying cipher is supposed to be be post-Quantum resistant if you believe the chatter about XChaCha20-Poly1305. Syncthing in the GL repos is some 8 minor versions behind current… so I encrypt before I encrypt.

(ccpcryptfs is available for Windows.)

GitHub

GitHub - bailey27/cppcryptfs: cppcryptfs is an implementation of the...

cppcryptfs is an implementation of the gocryptfs encrypted overlay filesystem in C++ for Windows. - GitHub - bailey27/cppcryptfs: cppcryptfs is an implementation of the gocryptfs encrypted overlay ...

velvetblueeyes · 2023-12-10T00:54:40.917Z

not really helpful to my situation…my device is already encrypted with luks…i just want to unlock it when its plugged into the router. Not sure why this isn’t a menu option somewhere…seems like that would be a common thing to want to protect your drive, then just have a key to open when when needed, just like with the user protection.

velvetblueeyes · 2023-12-10T00:59:48.771Z

so your method is to load files and encrypt present folders? Is that possible to do when accessing from network, like on my phone?

bring.fringe18 · 2023-12-10T14:54:24.071Z

velvetblueeyes:

Not sure why this isn’t a menu option somewhere…seems like that would be a common thing to want to protect your drive […]

You’re not exactly a “common” user here, my guy… you care about security. I’m no help on the LUKS front for my aforementioned reasons beyond pointing you to the OpenWrt forum but your experience there is going to be a heavy case of YMMV. The latest stable firmware for the Slate AX is still built on OpenWrt 21.02; the latest mainline OWRT is 23.05.x.

If you really want mainline OWRT then you’re going to end up looking @ @solidus1983 's vanilla builds for the Slate AX. That’ll mean you’ll be dumping the GL GUI (oh well) but more importantly the closed source SDK they use. There’ll probably be a performance hit in doing so (not that I’ve yet tested it).

Blah, blah, blah… the point is: if you want full access to the OWRT ecosystem you might want to consider dumping GL firmware & just eat any performance hits. You still won’t have anything beyond LUKS1 though.

bring.fringe18 · 2023-12-10T15:05:10.923Z

velvetblueeyes:

so your method is to load files and encrypt present folders? Is that possible to do when accessing from network, like on my phone?

Syncthing just ends up mirroring whatever dirs you designate to it on client device(s). It hashes the files before uploading using its optional encryption function. It is not a method akin to Samba/SMB/WebDAV/NFS.

In the case of accessing the pre-Syncthing encrypted files (which were first encrypted by gocryptfs/ccpcryptfs) on my phone, I use DroidFS. IDK what the counterpoint would be on iOS.

I stress my method is to double encrypt… because I’m paranoid like that. Just using gocryptfs/ccpcrypt → Syncthing sans its encryption function → DroidFS would result in adequate protection, I’m sure but I can’t speak to your threat model.

Another viable option may be just to use SMB/NFS for storage but gocryptfs before storing files on the network share. Using a Android client for SMB/NFS access, pointing DroidFS to that share isn’t something I’ve tried.

– “If you’re not paranoid, you’re not paying attention”

f-droid.org

DroidFS | F-Droid - Free and Open Source Android App Repository

Store & access your files securely

velvetblueeyes · 2023-12-10T20:59:12.671Z

all this is way over my head…lol. I’m not a dev or in IT or anything …just an artist with an encrypted external drive that I want to see on my network when I plug it in. I’m super surprised no one else does this and that there’s not an easy method for this in a menu somewhere. spending days or weeks learning how to use ssh, different decryption methods, what the commands are and all the rest is kind of off-putting. I’ll likely just look for a different solution. Thank you though. I used luks because that’s what my linux distro offered when I formatted my drive. The other encryption methods are foreign to me, though I do have veracrypt installed.

admon · 2023-12-10T21:02:47.743Z

velvetblueeyes:

I’m super surprised no one else does this

NAS is the way to go. Putting a hard drive via USB to a router is … strange.

velvetblueeyes · 2023-12-10T21:03:58.778Z

I have health issues and I’m unemployed and can’t afford a NAS…i wish. I just have a few odd drives laying around.

admon · 2023-12-10T21:06:16.570Z

Yeah, it depends on your environment of course. Just want to explain why it’s not that common.

bring.fringe18 · 2023-12-10T22:28:12.920Z

velvetblueeyes:

spending days or weeks learning how to use ssh, different decryption methods, what the commands are and all the rest is kind of off-putting.

Fair enough.

velvetblueeyes:

[…] though I do have veracrypt installed.

Nice. So you’re familiar w/ the concept of encrypted containers just like LUKS encrypts entire partitions/sections of storage drives. gocrypfs/ccpcrypt encrypts dirs/files one at a time/on a per-file basis.

It might be easier to use the GL GUI to set up NAS functionality after connecting your LUKS drive onto your Linux PC, installing SirKali, decypting/mounting your LUKS contents to a SirKali ‘virtual drive’ (“mount point”), dismounting (see screenshots) then copying that SirKali directory to your NAS.

admon:

NAS is the way to go. Putting a hard drive via USB to a router is … strange.

… & also a variant of a NAS, however ‘non-Enterprise’.

SiriKali

SiriKali works on Linux, macOS and Microsoft Windows Operating Systems

A Qt/C++ GUI front end to cryfs,gocryptfs,securefs,ecryptfs and encfs