Unraid is my favourite NAS OS to run at home. It’s super easy to get setup and administer. When you combine it’s built in app store (based on Docker), Traefik & Authelia for automatic HTTPS proxy and authentication you could even go as far to say it’s your very own self hosted PaaS and that I love.
All of my Array and Pool devices are encrypted using the Unraid file system type ‘xfs - encrypted’, it does this using the Linux LUKS (Linux Unified Key System) encryption modules.
Unraid will ask for either a key phrase or a file (a random photo for example) at boot to unlock the drives. These were my requirements when enabling encryption:
- Server automatically boots and unlocks encrypted drives without intervention
- Key phrase or file required to unlock the drives is not stored locally i.e on a USB drive plugged into the NAS, should be retrieved remotely
- Access to the key can be revoked at any time therefore preventing the unlock from taking place at boot
To achieve this I host my key phrase in a Github repo and instruct Unraid to download it at boot.
- Create a private Github repo, create a new file
keyfileand make the contents your decryption key phrase - Create a new ‘Personal access token’ and select ‘Repo’ as the scope
- SSH to your Unraid server and modify
/boot/config/go, at the end insertcurl -H "Authorization: token ghp_xxx" https://raw.githubusercontent.com /username/repo/main/keyfile -o /root/keyfilewhereghp_xxxis your Personal access token, andusername/repois specific to your username and repo - Back in the Unraid dashboard go to Settings > Disk Settings > Enable auto start > Yes