6.10.3 - Physical security flash drive

[display0]

Hi all.

 

I hope someone can help me.

 

I would like to prevent that a person with physical access to the flash drive resets the password and gain access as root.

 

I read the New User Basic blog #1. It states that to reset your root password do the following:

- Shutdown your server.

- Plug your USB flash into a laptop or another computer.

- Open the USB folder and delete the files "config/shadow" and "config/smbpasswd" (do not delete "config/passwd). This will reset all user    passwords, including the root user, to none, ie blank.

- Now eject your USB and reboot it on your NAS server and you’re in. You can then set a new password in the Users tab of the Unraid webgui.

Source: https://unraid.net/blog/unraid-new-users-blog-series

 

 

I've searched the forums and found this previous thread:

 

The user "JonathanM" mentions that some files could be moved to an encrypted volume.

 

Would that be possible with the files "config/shadow" and "config/smbpasswd" to prevent someone gaining root acces to the server?

 

Is there another way of achieving this? As I understand encryption of the flash drive is not a possibility though that is what i would like.

 

Thank you in advance.

[Kilrah]

Probably the best is either to increase physical security... or encrypt the whole array, that way even if someone can get root access to the server they can't do anything with it without wiping everything on it.

[display0]

Thank you for replying.

 

The array is encrypted, but the flash drive would still give away shares created, the config of the server and plugins installed etc.

I would like to prevent that if possible.

[itimpi]

56 minutes ago, display0 said:

Thank you for replying.

 

The array is encrypted, but the flash drive would still give away shares created, the config of the server and plugins installed etc.

I would like to prevent that if possible.

Sounds like you want the flash drive mounted internally on the server, and a case for it you can lock?

[display0]

3 hours ago, itimpi said:

Sounds like you want the flash drive mounted internally on the server, and a case for it you can lock?

That would be a nice simple solution. If I had the option to lock it away in a safe it could work. Thank you for you're suggestion.

 

Should I draw from this that there is no software solution to securing the flash drive?

[itimpi]

2 hours ago, display0 said:

Should I draw from this that there is no software solution to securing the flash drive?

Not that I know of.   It is in FAT32 format so does not support encryption or anything like that.

[JonathanM]

8 hours ago, display0 said:

If I had the option to lock it away in a safe it could work.

Here you go.

https://senior.com/products/sentry-safe-electronic-water-resistant-fire-safe-usb-data-link

[ConnerVT]

Couldn't someone just steal the safe?

[itimpi]

1 hour ago, ConnerVT said:

Couldn't someone just steal the safe?

Most safes would be bolted to the floor/wall and to get at the bolts one has to get inside the safe anyway.

[JonathanM]

1 hour ago, ConnerVT said:

Couldn't someone just steal the safe?

Normally it would be lag bolted from the inside of the safe to the floor or wall studs, ideally both.

 

But yes, if not properly implemented you could just walk off with the whole outfit.

[Kilrah]

You might be able to use a hardware-encrypted flash drive like

https://istorage-uk.com/product/datashur/

 

Obviously with the drawback that you need physical access to it for a cold boot, and there may be other niggles.

[gubbgnutten]

17 hours ago, JonathanM said:

Here you go.

https://senior.com/products/sentry-safe-electronic-water-resistant-fire-safe-usb-data-link

Just keep in mind that this does virtually nothing to prevent the scenario described in the first post. Sure, the flash drive can’t be removed, but all the bad guy has to do is to bring a laptop and the passwords are toast.

[ConnerVT]

14 hours ago, ConnerVT said:

Couldn't someone just steal the safe?

12 hours ago, itimpi said:

Most safes would be bolted to the floor/wall and to get at the bolts one has to get inside the safe anyway.

 

My post was a bit "tongue in cheek" sarcasm.  Just the way I am.  Need to find the appropriate smilie.

 

They say that locks only keep honest people honest.

 

The basics of security breaks down into two main phases:  Physical security and network security.  Since we are talking physical security, put your computer in a location which only authorized people can access (the less, the better).  If you connect to a network, all parts of the network need be secured - cabling, switches, other systems, etc.

 

The two things that usually compromise security are cost and convenience.  This is where the big decisions are made.  How valuable is what I'm trying to protect, and how much time and money do I wish to spend?  Most users visiting this forum don't likely need to lock down a NAS for the NSA.  If you are needing to do this, then Unraid might not be the best platform to be running.

[display0]

On 8/14/2022 at 7:34 PM, itimpi said:

Not that I know of.   It is in FAT32 format so does not support encryption or anything like that.

Allright. Thank you.

[display0]

On 8/15/2022 at 4:54 PM, Kilrah said:

You might be able to use a hardware-encrypted flash drive like

https://istorage-uk.com/product/datashur/

 

Obviously with the drawback that you need physical access to it for a cold boot, and there may be other niggles.

Thank you for the suggestion.