Adding an Encryption Layer


Recommended Posts

Adding Encryption Layer would be very nice features but I would like to see Encryption Layer for specific share instead of whole disk.

 

I would actually perfer this to whole disk encryption as well. IMO it's more important to encrypt shares that contain personal information then it is to encrypt shares contaning my plex shared movie files. Also the way shares work with unraid you could have personal information and non-personal on the same disk, or spread across many disks.

 

I know whole disk encryption is the "holy grail" or whatever, but I'd rather not be locked into not using shares, or encrypting my whole array.

 

I do like the idea of a 2nd USB key based solution. That seems pretty elegant.

Link to comment
  • 2 weeks later...

Adding Encryption Layer would be very nice features but I would like to see Encryption Layer for specific share instead of whole disk.

 

I would actually perfer this to whole disk encryption as well. IMO it's more important to encrypt shares that contain personal information then it is to encrypt shares contaning my plex shared movie files. Also the way shares work with unraid you could have personal information and non-personal on the same disk, or spread across many disks.

 

I know whole disk encryption is the "holy grail" or whatever, but I'd rather not be locked into not using shares, or encrypting my whole array.

 

I do like the idea of a 2nd USB key based solution. That seems pretty elegant.

 

 

I agree with encryption per share.

Also regarding 2nd USB, one can use something like a Yubikey.

Link to comment
  • 2 months later...
  • 7 months later...
  • 4 months later...
  • 5 months later...

I'll throw my hat in on this one as well. I would be ok with whole disk or per share (ultimately would encrypt all shares).

 

Something along the lines of FileVault or Bitlocker where you authenticate on boot (GUI or console or both?) and then the data is available. On power off the data is encrypted so on the off chance someone tries to make off with my drives the data is useless.

Link to comment
33 minutes ago, limetech said:

It's going to be device-level encryption that would apply to all assigned devices.  "Go big or go home" 

Bloody hell, wasn't expecting that.  LT going all out at the moment with stuff....  Nice one fellas.

Link to comment
1 hour ago, limetech said:

 

It's going to be device-level encryption that would apply to all assigned devices.  "Go big or go home"  :D

 

This is really the only way to do it properly. Hopefully there will be a method of decrypting an individual disk outside of unRAID in the event that everything goes to hell and you need to try to recover your data the hard way. One of the many benefits of unRAID is being able to pull one or more data disks out of your server slap it into another box, and be able to access its files. Something you can't do with a striped RAID array. I'd hate to lose that by enabling encryption, even if I'm not likely to ever actually need it.

Link to comment

Assuming the scope of the encryption is to prevent access to the data on the drives if removed from the host then the following types of authentication methods could be useful:
- GUI password
- unRAID USB hardware id
- separate USB hardware id or key file.

The later two options would allow for automatic authentication on boot.

The last option would allow for easier securing of the drives. In my case my unraid USB is internal, so removing it for periods such as going on holiday etc. to protect from theft of the whole server is not viable.


Sent from my iPhone using Tapatalk

Link to comment
12 hours ago, limetech said:

 

It's going to be device-level encryption that would apply to all assigned devices.  "Go big or go home"  :D

 

This is great news to be able to have encryption.

When you say this would be applied to all assigned devices would this include the cache drive or just the array.

I was wondering if there would be much of a performance hit with encryption enabled.

I was hoping the cache would remain unencrypted so only once mover has moved the files they become encrypted.

This is because I wonder if running vdisks for VMS off an encrypted cache would affect the performance of my VMS.

I guess running the VMS off an unassigned drive would be a way around this. 

Link to comment
13 hours ago, limetech said:

 

It's going to be device-level encryption that would apply to all assigned devices.  "Go big or go home"  :D

 

Awesome, thanks for the response!

 

Not being too up on encryption specifics - the merits of device vs. file level - I'm not sure what benefits this brings, but it's excellent to see encryption is being worked on. Does this mean they'll just be a global on/off setting?

Link to comment

I was really hoping for the share level - but i understand there could be some technical difficulties with this. As it will certainly affect speed, I wanted just one share for sensitive data. How does this work with Parity I wonder? Wouldn't it have to be the entire array?

 

Either way, any progress is good progress. Glad I commented :)

Link to comment

+1 from me - My server is in an outbuilding, so the whole server could get stolen.

 

Not an expert on encryption, but Is there a way of doing authentication against something on the LAN or Internet? eg using local DNS to store a key? That would mean it could reboot automatically while still connected to the LAN, without needing to replace a USB key.

Link to comment
6 minutes ago, al_uk said:

My server is in an outbuilding

 

Assuming you're in the UK from your username.  Curious given our weather what sort of outbuilding you mean.  Not averse to the idea of moving mine into the garage, but worried about dirt & temp variation, so would love to know more about your setup.

 

Don't worry, not going to ask for your address and visit with a crowbar. ;-)

Link to comment

The server was in the loft for years, but I worry about the temp variation. Last week I moved it into the garage which stays quite cool. Keeping it cold is not the problem. Keeping it warm in winter will be.

 

So - I've built an enclosed half height server cabinet on castors 19" wide by about 20u, by 750mm deep. I used 2" x 3" CLS timber and OSB panels on every side. The idea is that the air circulates inside the cabinet and keeps the cabinet warm. Any exhaust should also raise the ambient temperature in the garage very slightly and hopefully prevent condensation in the winter on any metal stuff.

 

Next, I need to keep the temp within the cabinet within a controlled range. In the front "panel" of the rack I've installed 2 PWM controlled 120mm case fans. They are sucking air into the cabinet, and both fans have filters on the front. There is no specific exhaust vent yet. The panels are attached with velcro at the moment for testing, so there is enough air leakage out of the cabinet.

 

As it happens I can't get my motherboard (x10sra-f) to control the fans properly. Autofan and IPMI don't work properly and I need to be able to stop them completely anyway when it is cold. So I'll be using an Arduino to control the fan PWM and 12v supply. I've got until Winter to get that all working!

 

I'll put a smoke detector inside the cabinet as well at some point.

 

The server is just a minitower case at the moment, but I may get a rack mount at some point in the future, which is why I built the cabinet rack sized. I actually have my unraid test server in there as well which is switched off most of the time. There's also a UPS in there which gets it out of the house.

Link to comment

Just to add I did have a half height metal rack that I tried lining inside with OSB as best I could. But there was still enough metal exposed inside that the internal temp was only 3 or 4 degrees C above ambient. I'm looking for 20 degrees C above ambient. That's why I built my own.

Link to comment
7 minutes ago, al_uk said:

Keeping it cold is not the problem. Keeping it warm in winter will be.

Yep, that's my concern too.  My garage gets very bloody cold! 

 

Got to admit I'm impressed with your efforts.  Be very interested to see some pics and more details once you've finished!  Ingenious.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.