It finally worked!
And since I had such a hard time doing it, I'll write it down here for future reference.
First and foremost, all credits should go to marky0736 who wrote
viewtopic.php?f=15&t=121510. Apart from some small modifications and clarifications, this is his work.
Secondly, this worked for me on my TS231P. With some modifications it could work for others. However, if you try this, you do it at your own risk.
To the point.
I've made 2 newbie mistakes. If you are not a newbie (then you probably should not be reading this) go to point 1). My mistakes were:
a) failed to realize that the password I type to decrypt the volume in the GUI is not the password that is passed to cryptsetup. This is really well documented but I just wasn't reading carefully. Your password is first "encrypted" by
and then fed to cryptsetup
b) My second mistake was to copy the keyfile to a windows share without unix2dos. marky0736 makes a remark about this but not in the same context.
Now, how it works (again, most of this is taken from marky0736 post)
1) Create a small unencrypted volume in your NAS. Preferably a thin volume. This will serve to store some configuration files in a config folder. In my case it was located at /share/CACHEDEV2_DATA/Config
2) SSH to your NAS and run
Code: Select all
storage_util --encrypt_pwd pwd=YOUR_PASSWORD > /tmp/keyfile.key
From this file you must remove the "Encrypted passwd is:". Save the file and make sure you don´t have a LF/CR. If you copy this to a windows share, open the file in notepad and recheck
3) Copy the keyfile to a
S E C U R E remote shared location
4) Create
Code: Select all
/share/CACHEDEV2_DATA/Config/credentials.txt
with the following content
username = YOUR_REMOTE_SHARE_USERNAME
password = YOUR_REMOTE_SHARE_PASSWORD
5)
Code: Select all
chmod 400 /share/CACHEDEV2_DATA/Config/credentials.txt
6) Create a mount point for your remote folder. In my case it was /share/CACHEDEV2_DATA/Config/keyfolder
7) This is different from marky0736's post (written in 2016...). You must prepare your autorun.sh script. Check
https://wiki.qnap.com/wiki/Running_Your ... at_Startup. In my case I had to
Code: Select all
ubiattach -m 6 -d 2
/bin/mount -t ubifs ubi2:config /tmp/config
vi /tmp/config/autorun.sh
WRITE_SCRIPT_HERE (See point 8 )
chmod +x /tmp/config/autorun.sh
umount /tmp/config
ubidetach -m 6
8 ) Now for the script itself, replace " WRITE_SCRIPT_HERE (See point 8 )" with
Code: Select all
#!/bin/sh
mount -t cifs //REMOTE_IP/REMOTE_FOLDER /share/CACHEDEV2_DATA/Config/keyfolder -o credentials=/share/CACHEDEV2_DATA/Config/credentials.txt -o vers=2.0
cryptsetup -v luksOpen /dev/mapper/cachedev1 ce_cachedev1 --key-file=/share/CACHEDEV2_DATA/Config/keyfolder/keyfile.key --key-slot 0
umount /share/CACHEDEV2_DATA/Config/keyfolder
mkdir /share/CE_CACHEDEV1_DATA
mount -t ext4 /dev/mapper/ce_cachedev1 /share/CE_CACHEDEV1_DATA/
/etc/init.d/init_lvm.sh
9) Enable "Allow running autorun.sh during startup" in the "Hardware" tab of your NAS
10) That's it. Reboot and you're done. Your encrypted volume should automatically decrypt and mount as long as he keyfile in the remote server is available
Now for a few comments.
a) in the script, the first line mounts the remote folder with the credentials stored in credentials.txt. Keep this file safe. The -o vers=2.0 forces smb2.0 needed for any modern windows OS
b) the second line decrypts the volume using the remote keyfile
c) 3rd line unmounts the remote folder for security
d) Next is to mount and initialize your volume
Comments and ideas are appreciated. In particular I would like to store the credentials file somewhere without having to create an unencrypted thin volume just for that.
Best regards!