Secure unRAID Key Deployment via Raspberry Pi FTP

This guide provides a secure method to automatically deploy an unRAID keyfile during boot using a Raspberry Pi FTP server. This eliminates SSH key complexities while maintaining security through user isolation and read-only access.

Prerequisites

• Raspberry Pi (any model) on same network as unRAID (Needs to be able to communicate with eachother)
• Basic Linux command line knowledge
• unRAID USB boot drive accessible

Step 1: Raspberry Pi FTP Server Setup

Install vsftpd

sudo apt update
sudo apt install vsftpd -y

Configure vsftpd

sudo nano /etc/vsftpd.conf

Modify these lines:

anonymous_enable=NO
local_enable=YES
write_enable=NO
chroot_local_user=YES
allow_writeable_chroot=YES

Create Dedicated FTP User

sudo adduser --gecos "FTP" ftpkey
sudo mkdir /home/ftpkey/files
sudo chown ftpkey:ftpkey /home/ftpkey/files

Place Keyfile in Secure Location

sudo cp /path/to/your/unraid.key /home/ftpkey/files/keyfile
sudo chown ftpkey:ftpkey /home/ftpkey/files/keyfile
sudo chmod 400 /home/ftpkey/files/keyfile

Restart FTP Service

sudo systemctl restart vsftpd

Step 2: Configure unRAID Boot Script

Edit go File

nano /boot/config/go

Add this before /usr/local/sbin/emhttp &:

# Wait for network and Pi to be ready
until ping -c1 <Your-Pi-IP> &>/dev/null; do sleep 2; done

# Download keyfile via FTP
curl -s --netrc-file /boot/config/.netrc -o /root/keyfile "ftp://<Your-Pi-IP>/files/keyfile"

# Set permissions
chmod 600 /root/keyfile

Create .netrc Credentials File

nano /boot/config/.netrc

Add these lines (replace with your Pi's IP and password):

machine <Your-Pi-IP>
login ftpkey
password YOUR_SECURE_PASSWORD

Set Strict Permissions

chmod 600 /boot/config/.netrc

Step 3: Verification and Testing

Test Connectivity

From unRAID console:

ping <Your-Pi-IP>  # Verify Pi reachability
curl -v --netrc-file /boot/config/.netrc -o /tmp/testfile "ftp://<Your-Pi-IP>/files/keyfile"

Test FTP Server

From any network device:

curl -v ftp://<Your-Pi-IP>/files/keyfile -u ftpkey

Step 4: Reboot and Validate

1. Reboot both Raspberry Pi and unRAID server
2. unRAID should automatically:
   • Wait for Pi to become available
   • Download keyfile via FTP
   • Start array with retrieved keyfile

Security Notes

• User Isolation: ftpkey user has no shell access and restricted to home directory
• Read-Only FTP: Server configured with write_enable=NO
• Network Security: All communication stays within local network
• Credential Protection: .netrc file has 600 permissions
• Keyfile Permissions: Keyfile is stored with 400 permissions on Pi

Troubleshooting

Check FTP Logs

On Raspberry Pi:

sudo tail -f /var/log/vsftpd.log

Common Fixes

1. Connection Timeouts: Add delay in go file:

   sleep 10  # Extra delay before download

2. Permission Issues: Verify ownership:

   sudo chown -R ftpkey:ftpkey /home/ftpkey/files

3. FTP Connection Problems: Test basic FTP access:

   ftp <Your-Pi-IP>
   (login with ftpkey credentials)

Fallback Procedure

Keep monitor/keyboard attached to unRAID for first reboot. If automatic retrieval fails:

1. Manually download keyfile:

   curl -s --netrc-file /boot/config/.netrc -o /root/keyfile "ftp://<Your-Pi-IP>/files/keyfile"

2. Start array manually

Maintenance

• Update Password: When changing FTP password, update both:
  1. Raspberry Pi: sudo passwd ftpkey
  2. unRAID: /boot/config/.netrc file

This solution provides a secure, automated keyfile deployment while eliminating SSH key management complexities. The keyfile is only exposed through a restricted FTP user with no shell access, and transfers occur entirely within your local network.