I would like to use an existing preformatted disk which is LUKS encrypted in RouterOS.
I have installed the ROSE package and have the crypted option available.
The preformatted disk is recognized and “imported” but the partition type is wrong and I cannot change it.
Hence I cannot enter the password/key for the device to get it in a usable state.
ROS is using device-mapper (dm) so I assume it is also using LUKS for crypted (non SED backed!) disks.
Is there a way to import them with the correct type and therefore supply a password/key?
There is a crypted option, which does not concern SEDs.
Therefore this should not be a problem.
It is also possible to create software encrypted disk with this, which are clearly non SED.
This basically creates a dm-x (0 if its the first one) device, which is visible under disks.
Then you can format this partition with ext4 and use it.
It did not test this, but I would assume, that you can connect a disk formatted like this to a standard (Linux) PC and see a LUKS encrypted device mapper device.
In the meantime I checked and ROS seems to use the rather seldom used standalone dm-crypt backend and is not using LUKS which is kinda odd, which explains why it did not recognize my preformatted LUKS volume. At the same time, as we do not know which parameter ROS uses for its dm-crypt volumes, it is not easily mountable on Linux, which is kinda sad.
So you cannot put data on the disk beforehand and you cannot read data in case of routeros problems.
Also it seems that it does not handle the “reimport” of ROS created crypted volumes well, when you plug it into another device which does not know the volume. This is a huge problem, because it means, that when the router, which hosts the volume fails, the disk cannot be mounted anywhere else.
That's bad if encrypted volume is locked to single device. Maybe MT should provide some documentation how to mount it on other systems or they deliberately implemented like that as security feature.
A simple solution would be to allow to manually specify volumes and then setting the ROSE parameters for the crypted volume. Currently you are prohibited from editing volumes.