October 23, 200718 yr How feasible, relaible and possible would low level encryption be on unRAID technologies. I am thinking a certificate on the USB and a password to boot up. Pulling the USB would effectively be the same as locking the server and inserting it again would require a password. Areas of concern would be reliability, speed and recovery. Anyone got any ideas? Note: Please don't say truecrypt thats not what im talking about
November 3, 200718 yr Somewhat interested in this myself. My issue being I'm not sure how this would work mechanically - ie someone steals my machine okay it's protected but if someone simply jumps on my network it wouldn't be? Even in the theft scenario that seems to imply that you have a "key" be it on the USB or input to allow access - if it's the key on media they will steal that too, input perhaps not so bad if your devices understand that. This page -> http://linuxhelp.blogspot.com/2006/08/disk-encryption-tools-for-linux-and.html talks about several crypto packages for Linux. Encfs uses Fuse which Tom is apparently migrating to. However, at least on the linked page, there's little detail given as to implementation LUKS appears to get a thumbs up from the writer but looking at it's page it too is also not real clear on mechanics and appears that it might use it's own F/S format. Anyway, much as I'd like to have some protection against theft I do not think I want to have to figure out how to get my devices, ala XBMC'd XBOX, to talk to the crypto filesystem. To do it "right" I'd have to enter a passphrase anytime a device wanted to talk to the box - ick - and have devices that understood this fact. Perhaps a USB stored key such that the USB could be removed after bootup and reinserted at each boot? That would solve the theft issue at least but would need to be stored on a second key and not interfere with booting from the unRAID stick. Microsoft's BitLocker seems to have mostly gotten it right and will get better with SP1 - something that emulates what they have done might be worthwhile IMO particularly if we can do 2 factor keying...
January 16, 200818 yr Author you make some interesting points. Whilst authentication and security of a user on the LAN is definitely part of crypto land I am more concerned about physical theft. If someone was to steal my unRAID they would have instant access to all the data just by powering it up. OK your average thief wouldn't probably know how to do this but if the drives were encrypted at all with a password required to allow access to unRAID in the normal way needing entered at bootup the threat of access due to physical theft drop drastically. I genuinely think this is a feature most NAS's are sorely lacking and even the most trivial of drive crypto would make this possible. Perhaps you wouldnt even need a password. Think 2 USB keys required to boot one with unRAID and another with the passphrahse. Once booted you pull out your key and put it somewhere safe. I think even the most humble of users could understand how to use that one.
January 29, 200818 yr one bad thing on the 2 key idea (I do love it) auto restart after power outage ... you'd be stuck until you got the other key
January 29, 200818 yr one bad thing on the 2 key idea (I do love it) auto restart after power outage ... you'd be stuck until you got the other key I have an alternative. Rather than the passphrase existing on a second key (which would leave with the server), place it on a separate networked device (which would probably not leave with the server - perhaps another PC). Unless the thief steals both devices and installs them on the same network, all would be fine. For the uber-paranoid, a screen challenge or separate USB key could also be done. Bill
January 30, 200818 yr i've tried to figure out a way to do this that allows for the unit to be rebooted (or power loss) etc. it seems like the only way really is to allow for ssh/serial console/some sort of interactive session to ask for a password so someone can get in remotely. however, that opens up keyloggers to the paranoid folks... so for the time being i am still unsure of how to handle this. it would be great if there was a way to do it that was easy, because i have a VIA mini-itx box that has crazy fast onboard crypto and I could add full encryption to my entire array with no overhead... if done right i think there is a market for crypto-ready NAS units. medical and financial sectors are required by law to keep records secured, not to mention government and military... just be sure it can do AES256/rijndael and the performance doesn't go down the tubes
Archived
This topic is now archived and is closed to further replies.