Oof, this got blown out of proportion.
First of all, thanks to @limetech for even introducing encryption support, this helps us ensure our data cannot be recovered (whenever the RMA'd drives get re-purposed) and continuing to support and enhance its functionality.
@BennTech Let's be mature about this. Your feedback is of course appreciated, but it needs to be constructive. I see that you have some knowledge in the infosec world and that's great, but please, don't be so condescending on the devs.
I am sure you are not sitting behind a pfsense with IDS and IPS configured (such as suricata, snort or even sophos utm) and you are not writing your own snort custom rules either. Your laptop is not running Qubes OS with segregated domains for your personal emails, social media and work related access. You are not using FIDO2/U2F for MFA nor are you using GnuPG for secure communication. And if you are, hats off to you good sir.
Regarding LUKS, I am sure you have seen this: https://0x00sec.org/t/breaking-encryption-hashed-passwords-luks-devices/811 (Nothing is bulletproof)
Additionally before bashing on devs, they do take security very seriously. Just look at the security sub-forum.
Security is a shared responsibility and you are the one who is also responsible for ensuring your system is configured in a secure way as well as your environment. Yes, your environment as well.
If we are talking about security practices then there are many security controls you can implement:
- Disable services you do not need, you don't have to run any dockers, just use storage
- Don't expose unraid or its services externally
- Implement fail2ban to prevent bruteforces
- Run your vulnerability assessments and manage it (OpenVAS/Nessus)
- Rotate your passwords every 30 days
- Randomly generate your passwords with at least 24 characters
- Use VLANs to segregate network traffic
- Don't use lower versions of SMB
- Don't use NFSv3
- Lock down physical access to the server
- Install Video Cameras
- Review access logs
- Disable IPMI if you are running supermicro
- Disable hyperthreading if you are running intel chips
- Don't use unecrnypted connections (http), instead use nginx as a reverse proxy for encrypting all traffic (certs required)
- Setup centralized logging using rsyslog to splunk or elasticsearch (ELK)
- Setup appropriate auditing accessing the filesystem and triggers
- And many others
If you work in infosec then you should know about risk assessments and risk management as well as how convenience and security comes clashing when you need to implement BCP (Business Continuity Planning) once your BIA (Business Impact Analysis) is done.
You've raised a valid point that convenience in this case should be optional and @limetech agreed to address it in the follow-up release.
But are you that paranoid that you don't trust the way you setup your internal network, do you not have enough traffic filtering setup to spot a data extraction operation through an ICMP or a DNS tunnel? Judging by your comments, you are a pro at this
In either case, let's improve things. Everybody can be a critic, remember that.
And remember, if somebody wants to pwn you - they will, there is always a way.