1
0
mirror of https://github.com/mail-in-a-box/mailinabox.git synced 2025-04-03 00:07:05 +00:00
mailinabox/ehdd
2024-09-03 11:11:17 -04:00
..
create_hdd.sh back out assert_kernel_modules 2024-09-03 11:11:17 -04:00
ehdd_funcs.sh back out assert_kernel_modules 2024-09-03 11:11:17 -04:00
mount.sh back out assert_kernel_modules 2024-09-03 11:11:17 -04:00
postinstall.sh Fixes #17: start services after unattended upgrades 2022-12-02 15:09:29 -05:00
README.md rename ehdd/startup.sh ehdd/run-this-after-reboot.sh 2022-06-28 20:56:48 -04:00
run-this-after-reboot.sh Fixes #17: start services after unattended upgrades 2022-12-02 15:09:29 -05:00
shutdown.sh qa: give shutdown more time to unmount the encrypted drive 2022-11-10 14:56:46 -05:00
start-encrypted.sh avoid using PYTHONPATH to enable setup mod hooks, which is problematic for managment command line tool use 2022-10-24 16:24:44 -04:00
umount.sh Add copyright to source files 2022-09-19 14:45:11 -04:00

Encryption-at-rest support

This directory contains support for encryption-at-rest of the user-data directory. Also known as STORAGE_ROOT, the user-data directory is typically located at /home/user-data, and is where non-system data is stored, like email, ssl certificates, backups, etc.

Encryption-at-rest of STORAGE_ROOT is provided by a LUKS formatted hard disk (file) created and stored at /home/user-data.HDD.

To enable encryption-at-rest ON A FRESH INSTALL, you must run ehdd/setup-encrypted.sh instead of setup/start.sh. This will set things up by creating and mounting the encypted disk for /home/user-data. Once created and mounted, setup/start.sh is run to continue normal setup operation.

At the end of setup, services that utilize /home/user-data will be disabled from starting automatically after a reboot (because /home/user-data will not have been mounted). Run ehdd/run-this-after-reboot.sh after a reboot to remount the encrypted hard drive and launch the disabled services.

Do not forget your encryption passphrase - otherwise your /home/user-data files will be unrecoverable!

For a non-interactive install, setting EHDD_GB will create a luks drive of that size without prompting, and EHDD_KEYFILE must be set to a file containing the encryption key (the file should not have any newlines). DO NOT USE A KEYFILE ON A PRODUCTION MACHINE.

To upgrade a system to encryption-at-rest, shut down all services that use STORAGE_ROOT (postfix, dovecot, slapd, etc). Rename STORAGE_ROOT to something else. Run ehdd/create_hdd.sh, then ehdd/mount.sh. Copy or move the contents of the renamed directory to STORAGE_ROOT. Restart all services.