Truecrypt

[bubbaQ]

I have Truecrypt installed and running on my unRAID box, and I am experimenting with it.

 

I am not so much concerned with access to unRAID files over the wire, as passwords take care of that.

 

I am more interested in protection against anyone accessing the data if the server was stolen.  In my work, I maintain some *very* sensitive information.

 

I'm wondering, how would a "secure" version of unRAID be received?  My vision is that the Web interface implement SSL encryption, and the unRAID volumes don't mount until you first enter the Truecrupt password.  So when you boot unRAID, the web interface is available, but shows no drives.  You have to enter the password for the drives to mount.

 

A slightly more advanced option would be an interface where you could designate individual drives as encrypted or not, so your non-sensitive information, such as movies and music for the media player, would mount with an unattended unRAID boot.  The encrypted drives would remain unmounted unless you first go to the interface and mount them.

[NLS]

I am all in, BUT, I'd like a way to mount (and decrypt) single disks on a Windows machine too.

(in case of emergency)

 

(btw from the subject I thought the thread was related to Tom's whereabouts :P )

 

 

[NAS]

Would you be looking at the full disk encryption method or creating encrypted containers the maximum size the partition would allow.?

 

Truecrypt is an excellent program i use every single day but Ive never trusted it with irreplaceable data since there are quite a few horror storys of smaller disk errors causing complete loss of the entire encrypted container. I know of no way to recover data in the event of truecrypt not being able to mount the data natively.

 

I am definitely interested in this for the exact same reason as you guys are (in fact i believe its already in the site wishlist).

[WeeboTech]

there are quite a few horror storys of smaller disk errors causing complete loss of the entire encrypted container

 

That's enough to scare me away! I.E. Unless you some how backup your data to another drive off site unencrypted.

[bubbaQ]

My data of interest in this regard is not irreplaceable, but is very sensitive, often containing sensitive personal, medical, and financial data of thousands of people... usually Encase images and the originals are safely stored in safes offsite.  However, I understand the caveats of others with irreplaceable data.

 

After working with it today, I've concluded that I can't integrate TC whole-disk encryption as an aftermarket integration with unRAID.... it would involve some Herculean effort.  I also notice that Tom has even removed some otherwise standard options in the Kconfig shipped with unRAID (such as cryot support), and I'm assuming he did that for very good reasons (like SMP support).  I also doubt Tom would want to consider this in the future, because it would definitely not play nicely with Fuse, which is critical to user shares.

 

Thanks to those who expressed interest.... but I think this horse is dead.

 

 

[WeeboTech]

If you can mount a container file on a loopback device then it may still work for you.

[bubbaQ]

Yes, I can do that, but unRAID will not mount it.  I believe that unRAID could do it, but it would take some source mods to the proprietary parts.

 

[NAS]

Since something like this is already on the to do list perhaps Tom could add the bits we need if we identify them.

 

If hes going to be working on it anyway we might as well get a head start.

 

If people only needed a few gig of encrypted space then we could easily script some container version control and backup to alternative disks.

 

We would however absolutely need an SSL or SSH interface for password entry or it wouldn't be worth the effort.

 

Im still game.

[WeeboTech]

If emhttp could do the pre and post start scripts i.e. run level control we could add it ourselves.

As far as ssh, that can be added by us.

ssl on the web interface.. I dunno about that one.

 

I suppose this would need to be put to vote,  for order in which features are added.

Not sure where home users would place this on the priority list of enhancements.

[bubbaQ]

Containerized encryption is already doable by using TC on the PC that maps to unRAID.

 

Full disk encryption can only work, if a replaced drive can be rebuilt with the encryption intact.... but part of that information (written when the volume is created in TC) is outside the fs, i.e. outside of the unRAID management.  So a failed drive won't be rebuilt properly from TC's perspective.  So you can't TC prep a volume, and then mount it in unRAID.

 

The only way full disk encryption can be done, us to mount the disk via unRAID first, and then TC prep it.  As it is now, TC won't do that.  Plus, I'm not sure unRAID will parity protect every physical sector.... including those outside the Reiser FS, which is where important TC info is.

 

 

[WeeboTech]

if Truecrypt can be used on an MD device with standard software raid then it should be able to be used on unRAID.

If Truecrypt uses blocks/sectors outside of a partition (ie. the MBR) then it won't work without some effort on lime technology's part.

 

With standard software raid, an MD device has a size, but when you put a filesystem on it, part of the size used by filesystem is kept for the md device's superblock itself.

 

I don't know enough about truecrypt to determine anything, but if you can use a container file mounted on loopback then that might suffice.

With some systems iSCSI is done like that. A container file (or LVM volume) is exported via iSCSI. I guess sorta like a vmware virtual disk.

[NAS]

My vote for stage 1 would be for containers. Truecrypt is cross platform and moving a container about is as simple as copying a file.

 

Full disk encryption would be excellent as well but its a different solution to a different problem. If i was using full disk encryption i would want all disks encrypted as i wouldnt be moving the disk about.