Automatically unlock encrypted volumes in QNAP via network using a BASH-script in a Cron-job. This script will log on, list locked drives and unlock them.
Data stored on the disks are encrypted, and you need a key do access the disks. The key is kept in memory, so if power is lost the disks are no longer unlocked.
This is an effective protection against thieves that gain physical access to the building. If they unplug and steal the NAS the data is encrypted. Encryption should be combined with offsite backup, i.e. to the cloud, which is also supported by QNAP.
To unlock the drives you have two alternatives: Log on to the web interface and enter the key, or let QNAP remember the key and automatically unlock. Letting QNAP remember it defeats much of the purpose, as the drives will be unlocked when power is plugged back in. Also, depending on how it is stored, it might require moderate Linux skills to change admin password and gain full access.
So to solve this I threw together a script running from a remote location that will unlock my encrypted drives. You can also run it from a Raspberry PI or any other device capable of BASH+Perl+curl+Python. Since Raspberry PI support wireless you can hide the unlock device anywhere within range of the wireless network, making it unlikely to be stolen together with the QNAP.
This is a quick and dirty hack, but it has worked for a couple of years for me. I simplified the script a bit for ease of use; if you have different keys for different volumes you can use the ${VOL} instead of ${VPASS} and set keys accordingly.
2021-07-02: Updated for latest QNAP patch. (Password for disks are now sent as base64.)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 |
#!/bin/bash # Requires: curl perl perl-JSON jq # pip install yq echo Running: $(date) USER="admin" PASS="MYPASSWORD" HOST="https://MYNAS" VPASS="DISKPASSWORD" CURL="/usr/bin/curl" PERL="/usr/bin/perl" XQ="/usr/local/bin/xq" # encode login password EPASS="$(echo -n $(echo -n "$PASS" | base64) | jq -sRr @uri)" VPASS="$(echo -n "$VPASS" | base64)==" # Log on result="$($CURL --cookie-jar unlock.cookies --insecure "${HOST}/cgi-bin/authLogin.cgi" -X POST -d "user=${USER}&pwd=${EPASS}")" # Extract session id from reqult SID=$(echo $result | $PERL -pi -e 's/.*\Q<authSid><![CDATA[\E([^\]]+).*/$1/g') echo SID: $SID # Figure out which volumes are encrypted and still locked echo "$HOST/cgi-bin/disk/disk_manage.cgi?sid=${SID}&store=lvList" VOLS=$( $CURL \ --cookie-jar unlock.cookies \ --insecure "$HOST/cgi-bin/disk/disk_manage.cgi?sid=${SID}&store=lvList" \ -X POST \ -d "func=extra_get" \ -d "extra_vol_index=1" \ -d "dc=0.7540563754242229" \ | $XQ .QDocRoot.Volume_Index.row \ | $PERL -0777 -e ' use JSON; $j = decode_json(<>); foreach my $e (@$j) { print %$e{"vol_no"}." " if (%$e{"encryptfs_bool"} eq "1" and %$e{"encryptfs_active_bool"} ne "1"); }') # Loop through locked volumes and request unlock using VPASS as key. # This could be modified to use file based on volume name. Perl-line # above could also easily spit out volume name. for VOL in $VOLS; do $CURL --cookie-jar unlock.cookies \ --insecure "${HOST}/cgi-bin/disk/disk_manage.cgi?sid=${SID}" \ -X POST \ -d "func=open_encrypt_dev" \ -d "volumeID=${VOL}" \ -d "keyStr=${VPASS}" \ -d "saveKey=no" \ -d "count=0.23383354619125796" \ -d "scan_iscsi_share=1" sleep 30; done #rm unlock.cookies |
USER and PASS are login details for logging on to your QNAP NAS web interface. The user needs to have enough rights to actually unlock the volumes. VPASS is the encryption key needed for unlocking the volumes. HOST is the URL for your QNAP NAS, for example https://10.0.0.5 or https://mynas.local/
I run this in a cron-job every 10 minutes. The 30 second sleep is not required, but you should keep a few seconds at least. Note that contrary to what the QNAP web interface allows, drives can be unlocked simultaneously and relatively fast. They are usable long before they reach 100% in unlock operation, but unlocking multiple is still slow.
hello, I have a locked volume (qnap ts251 +) with very important files and I don’t remember the password. Do you know any way to unlock the volume? Thank you very much in advance
You can’t unlock the volume without the password. That would defeat the purpose of encryption. 🙂 But if the password was short you might try your luck with a brute force attack on it. I believe QNAP is using standard Linux disk encryption.