Enter Encryption Key
Clara Vanliere
That is a bug caused by the auto-updater being redesigned. It basically spawns a new process and redirects the stdin/stdout, and this does not work with ReadKey() as the error indicates. I need to rewrite the console-password-input module to fix this.
Yes, that is because the environment variable is used to set the --passphrase value internally if it is left empty. The console-passphrase-input module only does something if the passphrase is empty and --no-encryption is not activated.
I just bought a couple servers. I already installed Ubuntu with encrypted LVM on one and I'm planning on doing the same with the other. This means that every time I boot up each of these machines, I have to enter the passphrase. And I'll have to do this every morning because I'll power each machine off each night for security reasons.
One possible option would be to redo it so that the base system (/ /usr /etc /lib and such... the things that are the same on all the Linux systems) are unencrypted, with your actual data to protect in a separate LV that is encrypted. Then, the system should be able to boot to a state where you can log in remotely and mount the encrypted partition and provide the password at that time.
If your servers support IPMI 2.0 SOL (Serial-over-LAN), you may be able to use ipmiconsole or a similar utility to get a serial console on your machine. Once you have that working, it's not a big step to get keyboard input sent to your virtual serial port. Your OS may require some additional configuration to use the serial console.
As for whether it's a good idea, well, there's no catch-all answer to that. It depends on what you're trying to secure and what you're trying to accomplish by doing so. In almost every case I've seen, full-disk encryption of a server is complete overkill because it does not protect you against a single thing besides a physical break-in. Most intrusions/hacks, for obvious reasons, occur against servers that are powered on, not ones that are powered off.
Maybe you want to use a USB token for that purpose? Of course, this would shift the security from network to physical. I am sure you know that you can't achieve total security, but you have to compromise.
One piece of advice: habits lead to letting your guard down, which leads to being more prone to slips and small mistakes, which leads to the dark side and eventually to relying on a false sense of security.
I highly recommend not relying on a massive one-security-for-everything, but instead on small modular plugins that can give you more fine-grained control. For example: encrypted LVM is ok, but use a USB token as key for booting the system. Then only mount the partitions you actually need (and have them encrypted with different keys), maybe even entering the keys remotely or (better!) have a card reader use something you carry with you all the time to authenticate you and prevent replying attacks. Rely on good patching and on redundant security systems more than a on single firewall or a single 'solution' (i.e. install two redundant firewalls on different machines, and keep one invisible by doing transparent bridging). Keep one system offline and compare checksum at random intervals (days, weeks, hours, etc). And so on.
PS: There was no relevant error message when the wrong password was used. There was a generic error message that I had to Google. I recommend there to be a more communicative error message for a wrong encr/decr password.
Hi Joseph,- There is a "/Users/YourUsers/.plastic4/cryptedservers.conf" file where the encryption is configured in the client side.If you rename/remove this file, the next time you run an update pointing to an encrypted repo, you should be requested to enter the key again.- There is a "/Application/PlasticSCMServer.app/Contents/MonoBundle/cryptedservers.conf" where the encryption is configured in the server side (for replica operations).If you rename/remove this file, the next time you run a replica from an encrypted repo, you should be requested to enter the key again.Note: If you encrypted some data with a specific password in the past, you will need to use the same password to decrypt the data now.Regards,Carlos.
As long as one machine has the data, it should be possible to just re-set the encryption password, or to export/import the OmniFocus database on that machine and then re-sync and then properly set the encryption password, correct?
Bought one of the new mmwave sensors which is supposedly a 2 min setup in home assistant, and here I am 6hrs later still struggling. The video and documentation are incorrect it seems, and it runs so fast it took me several attempts to just get it to pause at the right spot to see what it was doing.
Rant over, sorry, its just I specifically purchased this mmwave kit because it said no finding required and a 2min setup, and a bit annoyed that it is in fact the opposite. All I have is an esphome device.detexted with an entity called firmware update!
Sorry we checked this issue, it may be that the wrong firmware was flashed during factory production, we repackaged the relevant firmware, please try to follow the guide to re-flash the firmware for it
I put another 4 hours into trying to get mmwave_kit working, no joy yet but closer. Here are recent steps.
I saw in the install video for this product the ESPHOME page in HA looked different then my installation. Not the same icons, also it could only be accessed in the card on the Add on page. So i uninstalled ESPHOME and reinstalled it. To do that, i went to the integration to bring it in from the store. The install went to the web UI and installed with Yaml window. Then i added the mmwave_kit and this time it said it installed with the finish window. No incription key needed, i thought Great.
Not so much, there is no card for mmwave_kit on the dash board or in devices under setup. It only shows in ESPHOME on the web UI as a device that is inactive.
Here is a log from installation.
I got the ip address from router, followed instructions to add in ESPHome, which looked to install correct. But still no mmwave_kit card in ESPhome.
ESPHOME does show 1 device in its card. Drilling into that i found a spot to install in Esphome. Did that and got this log.
I have not Keith.
I am waiting for a reply from Seeedstudio.
I have done 2 firmware updates and mmwave_kit and 2nd one got past the encryption issue but not finding files, same error as you.
I would like to see a step by step to install Esphome by Seeedstudio so that we can eliminate that variable. I say that because of the online UI seams to have the options to install where in HA did not have same install tools.
I am using Home Assistant Yellow.
The /config/esphome/.esphome folder has been removed and replaced with /data when running ESPHome as a Home Assistant add-on. This was done because it is exactly what the add-on /data folder was made for and there were many files in the .esphome folder that were making the Home Assistant Backup larger for no reason at all. All files in there are generated or sourced from online based on your configurations files which have not been touched.
I'm a total Realm newbie so go easy on me. Every time I try to open up a Realm file from the example from GitHub, I get a request to enter in the encryption key. It seems like the default configuration in Realm is to not have it's db be encrypted, so I don't know what gives. Any help would be greatly appreciated. Thanks.
What I think is happening is that even when my ESP32 is conecting to Wi-Fi and is getting recognised by Home Assistant at first, in the image you can see that the first sentence is missing something, like the name of the device or something like that.
API transport encryption is now enabled by default when you create a new device in ESPHome. This will autogenerate a random encryption key in the device YAML file that you will need to retrieve when you attempt to add the device to Home Assistant. Simply remove the encryption key lines from your YAML should you choose to not use encryption.
I found a solution to fix the invalid key error when reinstalling an ESP from home assistant. Go to and initialize the device from there using the prepare for adoption button. Then go back to home assistant, and it should be working again!
I have a fresh install where I asked for full-disk encryption. During boot, I now have to enter my password twice in a row. I have looked at my /etc/crypttab and it seems both my regular system and the seperate SWAP partition are both encrypted via LUKS with the same password and during boot I thus have to enter my encryption-passord twice, 1st to unlock my system, 2nd to unlock the swap-partition.
In addition (unless I am not getting the full concepts here), if a double encryption entry on boot is a necessary consequency of wanting disk encryption & a swap partition for hibernation, then maybe there should be a little warning regarding that inconvienence if a user chooses both options in the installer?
If you use systemd-boot and a swap partition you will need to enter the encryption password twice because storing a keyfile in the initramfs is not practical. An easy way to avoid having to enter the password twice would be to remove the swap partition and instead use a swap file, which will be located inside the encrypted partition.
Final note might still be to add a small warning in the GUI-installer of Endeavor OS when users select disk-encryption and a swap partition to notify them ahead of the actual install that their choices will lead to a situation where they will be propmpted for their encryption password twice during boot.
Hi,
I'm was just about to test out plastic and during the setup I chose requires encryption, I figured this sounds like a good choice, but then there doesn't seem to be any step where you set up the encryption key.
I found a blog post saying what the key should look like but I'm a bit stuck here.
I'm getting this message saying -
when I checked with 2020.3.2f1 I only see Collab package not combined/version control package for that version. Can you pl. let us know how you got the package ?
To resolve this issue can you pl. update to latest 2020.3.21f1 or anything greater that 2020.3.9f1 should work.
I confirmed on latest editor version 2020.3.21f1 that combined package and encryption is working fine.