June 20, 201115 yr Coming to think of it, after some time with unRAID, I came to the conclusion that the ONE feature that finally and ultimately will convince me that unRAID is for me, is this one. I know this has been discussed some time ago and that there are some solutions (encfs, wasn't it?) to achieve this manually. I also can remember that it was part on the previous wishlist but it disappeared somehow? Motivation: - I spend too many hours to fill my unRAID box. In case of theft, I do not want anyone to be rewarded with my hard work (hard-ware is OK, the next generation is waiting on the shelves for me ). - I need to store private, sensitive personal information and other confidential stuff from myself and from clients. Here I can be held reliable if someone gets his/her hands on the data. Encryption is the only way to protect data against physical brute force attacks. (I got a laptop ripped out of my car some weeks ago...it was encrypted....but still not a good feeling). Currently I have to integrate into a more complex setup which involves a lot of tools...this is not a 1-2-3-finish show at the moment. A solution integrated with unRAID definitely will be smoother. ...using an encrypted block device (LUKS?) is preferred, since I think an encrypted filesystem could create a performance issue. Having to enter the passphrase manually upon startup is OK, since I am running all IPMI boards and can securely connect from anywhere into my network via VPN. Currently I own two Plus keys...I can see me shut down my unRAID box and bury the keys in the near future if I cannot find a solution to this. This feature really would make the ultimate feature for me (and hopefully a good feature for others). It would make a good feature to make unRAID stand out of the crowd. best regards, Ford
June 20, 201115 yr ...using an encrypted block device (LUKS?) is preferred, since I think an encrypted filesystem could create a performance issue. Have you tried encfs? You're right in that it's not very performant (compared to block level) though if you do not use it in conjunction with unraids user shares (i.e avoid two layers of fuse) then performance isn't too bad. You can try encfs quite easily at any time so you should be able to happily see if it will suit. This would fix your problem in a minute. You could also look at only encrypting parts of your data (i.e your private data) which would also lower the performance penalties. Failing that, bin unraid and go back to a standard linux distribution with dmcrypt / LUKS and look at something like flexraid or snapraid to help achieve some level of fault tolerance. Even if encryption were on the cards in unraid I suspect you would be waiting quite a while for it to become a stable feature.
June 21, 201115 yr Author thanks for sharing your thoughts on this one! Have you tried encfs? You're right in that it's not very performant (compared to block level) though if you do not use it in conjunction with unraids user shares (i.e avoid two layers of fuse) then performance isn't too bad. No I did not, because of the very reason that I'd like to keep using user shares but without the penalty of nested fuse filesystems. Failing that, bin unraid and go back to a standard linux distribution with dmcrypt / LUKS and look at something like flexraid or snapraid to help achieve some level of fault tolerance. Yes, I know...but this is what I want to avoid. My first idea was to run dm_crypt/LUKS on a VM host and pass the de-crypted block devices to an unraid-VM, like with a KVM host. Couldn't get it to run because of lack of drivers in unRAID and hard-coded block device-schemes in emhttp. Qemu announced a whitepaper on virtio_scsi which would allow for scsci_passtrough. A custom kernel should do the trick by then. Even if encryption were on the cards in unraid I suspect you would be waiting quite a while for it to become a stable feature. encryption IS a stable feature in linux...it is the lack of proper integration of architectures from unRAID and linux kernel. for example nested block devices with dm_mod and md modules are no problem in vanilly linux. It should be possible with unRAID-md module as well, but I think emhttp is again the problem with the need to access a physical layer.
June 21, 201115 yr No I did not, because of the very reason that I'd like to keep using user shares but without the penalty of nested fuse filesystems. I can only suggest to try it and see what happens. I see around 20 megabytes per second writes and 30-40 reads throughput via encfs living on top of a user share. Not brilliant but not the end of the world either. Will entirely come down to your usage patterns I guess as well as (to a more limited extent) your cpu grunt and underlying disks. encryption IS a stable feature in linux...it is the lack of proper integration of architectures from unRAID and linux kernel. for example nested block devices with dm_mod and md modules are no problem in vanilly linux. It should be possible with unRAID-md module as well, but I think emhttp is again the problem with the need to access a physical layer. Yes 'all' you would need to do is layer dmcrypt on top of the md devices created by the unraid drivers. *But* all that would need integration into the unraid management setup and *that* is what would take the time to be implemented, tested and become stable. Going out on a limb it *may* be possible to build the dmcrypt modules for unraid and insert them into the kernel, install the tools and do all this yourself by hand. It's all just linux though emhttp would get unhappy with you at some point. Work roundable if you *really* want though as you don't need emhttp at all to have a functioning array. I doubt you have to mess with the parity disk either regarding encryption which is also a bonus.
June 21, 201115 yr fyi i dont have the link at hand this now but i suggested this before and Limetech signed up as it being a good idea that would come... one day. My focus would be on encryption preventing data mining only. i.e the simplest, fastest and therefore probably the least encryption possible implementation. It all about not worrying if the kit is nicked and not some hollywood trillion bit encryption option
June 23, 201115 yr i use truecrypt, from windows mount the volume via drive letter or unc path. Me too, just keep the truecrypt data file on your unraid and run TrueCrypt on the PC where you need access to the data. Works very well. Stephen
June 24, 201115 yr Author Yes 'all' you would need to do is layer dmcrypt on top of the md devices created by the unraid drivers. *But* all that would need integration into the unraid management setup and *that* is what would take the time to be implemented, tested and become stable. Going out on a limb it *may* be possible to build the dmcrypt modules for unraid and insert them into the kernel, install the tools and do all this yourself by hand. It's all just linux though emhttp would get unhappy with you at some point. Work roundable if you *really* want though as you don't need emhttp at all to have a functioning array. I doubt you have to mess with the parity disk either regarding encryption which is also a bonus. Hmmm...yes, nice idea. There was a post from someone about enabling dm_mod modules in a custom kernel, here. I am fine with running a custom kernel (which is what I am doing now), because of running virtualbox on unRAID. Do you have a pointer to some documentation on how to use the md module, how mounts are stacked and how to use user shares manually, without emhttp ? I am not afraid of doing things manually, I just don't want to hack something, i.e. patch emhttp as others have reported they did.
June 24, 201115 yr Author fyi i dont have the link at hand this now but i suggested this before and Limetech signed up as it being a good idea that would come... one day. My focus would be on encryption preventing data mining only. i.e the simplest, fastest and therefore probably the least encryption possible implementation. It all about not worrying if the kit is nicked and not some hollywood trillion bit encryption option ...yes, +1 from my side. Thanks for jumping in. We should contact limetech regarding the "old" commitment and its absence from the current roadmap.
June 24, 201115 yr Author i use truecrypt, from windows mount the volume via drive letter or unc path. thanks for sharing. IMHO truecrypt is proprietary stuff, regarding the license involved. Myself, for example, cannot use it with data from clients. ...some pros and conns: -1: AFAIK you also have to create an encrypted datastore, where you have to size it upfront. That is kind of limiting the overall feature. IMHO, this would be OK for a flash drive but not for unRAID. -1: every client needs a separate setup +1: every user/client can have its own encryption vault ...and I do not have windoze at home
July 3, 201115 yr I Too would very much like this feature. I Don't wish to have some sort of super encryption software on my desktop. I Just wish to have the simplicity of copying my fires to my unRAID box/pc and know that if that box/PC is stolen. No files can be retrieved from it. I Understand that there would have to be a performance hit for having encryption. But I am willing to take it. I Nice little tick box in the user interface lable "Enable Encryption - Warning! This will slow down File read/writes" would suit me just fine. Hope it makes it into unRAID soon.
July 3, 201115 yr I Too would very much like this feature. I Don't wish to have some sort of super encryption software on my desktop. I Just wish to have the simplicity of copying my fires to my unRAID box/pc and know that if that box/PC is stolen. No files can be retrieved from it. I Understand that there would have to be a performance hit for having encryption. But I am willing to take it. I Nice little tick box in the user interface lable "Enable Encryption - Warning! This will slow down File read/writes" would suit me just fine. Hope it makes it into unRAID soon. Install the "encfs" add-on package. It does exactly as you describe. You must supply the initial password each time you reboot, but thereafter, your files in the directories you configure are transparently being encrypted.
July 4, 201115 yr Author thanks for sharing your thoughts on this one! Have you tried encfs? You're right in that it's not very performant (compared to block level) though if you do not use it in conjunction with unraids user shares (i.e avoid two layers of fuse) then performance isn't too bad. No I did not, because of the very reason that I'd like to keep using user shares but without the penalty of nested fuse filesystems. Failing that, bin unraid and go back to a standard linux distribution with dmcrypt / LUKS and look at something like flexraid or snapraid to help achieve some level of fault tolerance. Yes, I know...but this is what I want to avoid. My first idea was to run dm_crypt/LUKS on a VM host and pass the de-crypted block devices to an unraid-VM, like with a KVM host. Couldn't get it to run because of lack of drivers in unRAID and hard-coded block device-schemes in emhttp. Qemu announced a whitepaper on virtio_scsi which would allow for scsci_passtrough. A custom kernel should do the trick by then. Even if encryption were on the cards in unraid I suspect you would be waiting quite a while for it to become a stable feature. encryption IS a stable feature in linux...it is the lack of proper integration of architectures from unRAID and linux kernel. for example nested block devices with dm_mod and md modules are no problem in vanilly linux. It should be possible with unRAID-md module as well, but I think emhttp is again the problem with the need to access a physical layer. ...I will have transparent encryption for my unRAID very soon, I think See here: http://lime-technology.com/forum/index.php?topic=13446.msg127556#msg127556 As soon as I tuned that setup, I'll use LUKS encrypted raw-disks on the host and pass the de-crypted device-side(s) to the unRAID-VM.
November 3, 201114 yr One solution to this is TrueCrypt. Now it wont fit everyones needs but it may for others. You could create a 20GB TrueCrypt drive and store the drive in UnRaid. You would of course need to mount the TrueCrypt drive in Windows but at least your data would be secure. I am going to use this for the documents i store on it.
December 24, 201114 yr After many years I finally dropped TrueCrypt on my laptop and went full disk encryption with LUKS(dm-crypt)+LVM. I use LVM in order to have flexibility and get prompted only once for a single password that protects root partition, swap and home. Performance is just great especially if you happen to have an Core i5+ CPU with built-in hardware AES. For unRaid I think LUKS is the one that makes one sense for its kernel integration and performance and more importantly for a NAS that you may have in your basement, you can remote unlock the system when rebooting it... Priceless! A SSH server can be started early during the boot process in order to receive the unlock key. http://blog.nguyenvq.com/2011/09/13/remote-unlocking-luks-encrypted-lvm-using-dropbear-ssh-in-ubuntu/ Now I don't know how LUKS will work with current unRAID implementation and user shares. Alphazo PS: As a side note while TrueCrypt is not available on Android phones there is a nice LUKS manager GUI available in the market.
December 26, 201114 yr Been a year... still wish to be able to encrypt the sum total of my unRAID data and require a password on every boot - the ability to provide this remotely as mentioned in the post before this one would be awesome! I have yet to dive into trying this because well life and my fear that if I screw something up I'll lose all my data! :-( I keep hoping that something button push simple or a feature from Tom will come up. The ability to do this via unMENU sounds good mind you but I want to pretty much encrypt ALL of my video and with something fairly secure. I don't want to do it in such a way that client PC have to have a password either. Something akin to Truecrypt full volume for unRAID would be fine please :-) Truecrypt won't work as-is though I don't think and that's a shame as I've used it and like it! Just the thought of someone hauling my machines away, digging through my system backups, my hard work encoding videos, my music, my TAX returns(!), boils my blood. <sigh>
December 27, 201114 yr Author Now I don't know how LUKS will work with current unRAID implementation and user shares. +1 for LUKS ...but I doubt that it will be do-able. Native disk access with LUKS will be done by the dm-* kernel modules (dm-crypt especially) and the modified/non-stock-linux md-module from unRAID will need to work with/on-top-of the devices created by dm instead of the raw, native disks. A thing that would need some modifications in the md-module and emttp, I think. Maybe this is the reason why this feature dropped from the wishlist silently. For myself, I finally gave up waiting and moved my stuff to a ZFS based solution where I can have this feature from within solaris11.
January 1, 201214 yr Does the post by Joe L cover what you want? No, I do not believe so. Having to specify directories to encrypt is not what I want, I'm looking for full VOLUME encryption. Think TrueCrypt for an entire disk under unRAID. Without the password I want all of my disks to be inaccessible. I wish to input this password at boot time and be invisible otherwise.... I'd also like this to be an easy install with as little "hacking" as possible so that screwing it up and losing multiple TB worth of data is less likely. Heck, how about giving us a WEB page to input the password during boot so that the server console need not be accessed?
January 1, 201214 yr I kind of see the point in want encryption... but than again... I don't. Obviously this would be an opt-in feature and would be disabled by default. I don't think time needs to be spent on trying to get this to work, at least not right now. This seems like a very niche thing that I don't think many would use.
January 2, 201214 yr I kind of see the point in want encryption... but than again... I don't. Obviously this would be an opt-in feature and would be disabled by default. I don't think time needs to be spent on trying to get this to work, at least not right now. This seems like a very niche thing that I don't think many would use. It may not fit your needs but it fits mine and I'm sure that of others, some of whom have spoken up. If someone comes into your home and takes your hardware - for whatever reason - wouldn't you like to rest easy knowing that they have gotten none of your data? None of your tax records, none of your system backups, no music or other media for which you cannot prove 100% was purchased from you, the list is ENDLESS.
January 2, 201214 yr If someone comes into your home and takes your hardware - for whatever reason - wouldn't you like to rest easy knowing that they have gotten none of your data? But for me, they would have gotten nothing of importance. None of your tax records, none of your system backups, no music or other media for which you cannot prove 100% was purchased from you, the list is ENDLESS. I keep NONE of my tax information etc on unRAID. The only thing they would get is my media, which they can have for all I care. My backups are done with Crashplan which is encrypted to begin with.
January 2, 201214 yr I can see the point of it, However where this happens on the roadmap would be anyone's guess. unRAID v5 has been in beta since 2010 and we need to have a stable v5 before anything happens.
February 13, 201214 yr Please consider this another vote for some sort of disk encryption feature with unRAID. Some people may not have anything important on their servers but some do. Yes, my important stuff is backed up elsewhere but I still don't want to make it easy for any potential thief to access my data. Thanks!
Archived
This topic is now archived and is closed to further replies.