November 10, 200916 yr from an information security perspective, i would like to request that something like libdcrypt be included in the base unRAID package. how i imagine it would work: if config param crypt=true : don't start the array at boot : require passphrase, either at the command prompt or via the web browser, to mount the volumes else : standard unRAID as you know now it note that the passphrase should not (ideal: -can- not) be stored locally. if you are paranoid or are security concern-oriented, you probably understand the "why" behind my request. - wjw
November 10, 200916 yr from an information security perspective, i would like to request that something like libdcrypt be included in the base unRAID package. how i imagine it would work: if config param crypt=true : don't start the array at boot : require passphrase, either at the command prompt or via the web browser, to mount the volumes else : standard unRAID as you know now it note that the passphrase should not (ideal: -can- not) be stored locally. if you are paranoid or are security concern-oriented, you probably understand the "why" behind my request. - wjw I do understand the why behind your request, but for something like unRAID that is marketed mainly towards home use I don't see much need for it in the core unRAID. Personally you would probably be better off using something like trucrypt on unRAID or an encrypted Disk Image that is stored on the server. I do not want my entire servers contents to be encrypted just a select few things (shares), and for those I could create an encrypted Disk Image and go from there.
November 10, 200916 yr Author not to be (too) snarky, but have burglaries not occurred in your area? my desire is to have -all- personal data, including family pictures, encrypted. like it or not, that "share" has ballooned (thanks to the wife's d90) to ~400gb. could i just create a volume for this? sure. though, have you ever had the pleasure of playing with large volumes-as-files? even locally they can be frustrating to work with. oh. and the resizing. could i just hang another drive off of the unraid box and share it? sure. but then i've got to come up with my own backup means. so, of course i'm going to defend the legitimacy of my own request, i see this as pretty important and certainly a differentiating feature.
November 10, 200916 yr not to be (too) snarky, but have burglaries not occurred in your area? Thankfully I have not had any problems with burglaries in my area. My server also happens to be in my basement in a way back corner that someone would have to take a considerable amount of time to get to. Not to mention I have the thing locked down via a kensington lock. my desire is to have -all- personal data, including family pictures, encrypted. like it or not, that "share" has ballooned (thanks to the wife's d90) to ~400gb. could i just create a volume for this? sure. though, have you ever had the pleasure of playing with large volumes-as-files? even locally they can be frustrating to work with. oh. and the resizing. could i just hang another drive off of the unraid box and share it? sure. but then i've got to come up with my own backup means. so, of course i'm going to defend the legitimacy of my own request, i see this as pretty important and certainly a differentiating feature. An encrypted Disk Image on OS X can grow to whatever size you need it to be so for me to use that there is no "expansion" or resizing issue. I would suggest taking a look into Crashplan (see the unRAID wiki and look for the Crashplan entry). I use it to back up all my data offsite so if anything were to happen I can get it back.
November 11, 200916 yr I can see the need for security. Its dumb to not protect personal data (encrypt e-v-e-r-y-t-h-i-n-g). Although, I don't see a reason to add the overhead of encrypting movies/music. This type of feature built into the core of unRaid would definitely be a selling feature. Maybe ability to choose which disks are encrypted or set a user share as encrypted (might not be possible).
November 11, 200916 yr I'd agree I'd love this feature as well. I currently have a generous smattering of truecrypt volumes across the array for bits and bobs - but as above they're a real pain to work with. Full disk encryption on a per drive, per share or just per array basis would be excellent. (I can't really see a way to do it per share) Assuming of course it's done in such a way that a data drive can be removed from the array and put into another machine to be read as normal - so using fairly standard linux encryption tools.
November 11, 200916 yr Author i don't think it can be done on a per-share basis with a "make easy" button. per-drive/per-array should be "easy" b/c it can simply be part of the drive-mount process. that is, no real unRAID logic needs to be modified -- it'd happen before the magic. done at the per-share level would require knowledge of each mount, each mount's participation in user shares, etc. at a minimum, i wouldn't mind if no part of the array could start without all drives being passphrase-mounted. though.. and this ties together a piece of another feature request: maybe the decrypted (or unencrypted) mounts could be mounted *read-only*. (i'm tying this to the military-user's request [sorry, forgot your name] of SelfHeal -- and rather, i'm tying it to Joe's response to that request). if the array could be mounted in a "crippled" fashion read-only, it would probably make sense to port that feature back into pre-libdcrypt unRAID: if on mount there is an issue with one of the devices && some (possibly default) parameter was set, all drives capable of being mounted are mounted, but *read-only*.
November 11, 200916 yr maybe something can be done at the fuse level. http://www.debianadmin.com/filesystem-encryption-tools-for-linux.html http://prefetch.net/blog/index.php/2007/05/29/encrypting-data-with-the-fuse-encryption-module/ http://www.debian-administration.org/articles/204
November 11, 200916 yr WeeboTech, This is too advanced for my linux knowledge, but I like that you suggest using libs that already exist in unRaid. One requirement for a complete (or per disk) encryption is to be able to encrypt without having to "create" an encrypted partition first. This would mean the data would need to be copied back afterward. Truecrypt lets you encrypt your Windows OS (I've done this on my laptop) even while you are using it. Am I making sense? If the feature only allowed all disk encrypted or none that would be great. I would not be happy if I had to copy back my existing data (a lot). It would then be a decision when setting up unRaid for the first time. Like I said, adding CPU overhead to decrypt movies/music could hurt streaming speed, but I'm all for a complete unRaid encryption setup if it can be done for existing unRaid data.
December 3, 200916 yr encfs is great. I use it on my Arch laptop to secure most of my home directory. It uses FUSE exclusively so no kernel specific modules required. Compared to Truecrypt you don't have to reserve encrypted space in advance. It grows as your data grow. Basically you have one directory where files are accessible in clear text (when password entered) and another one full of the 'same' files (but encrypted) with garbage filenames. Size, permissions and access time remain visible so it doesn't protect you against all attacks but at least it adds confidentiality and protect your assets if hard drives are stolen. Furthermore compared to container schemes (TrueCrypt) you can do incremental backup of your encrypted data. One more amusing thing about encfs is that by default even root cannot access the directory you have mounted with your passphrase. This is something you need to enable. On the minus side it is not as cross-platform as Truecrypt (win, mac OS, Linux, not BSD) as it is not available under windows but hell that is not a real problems for backups. It would be a nice companion for unRAID where you could define multiple encrypted directories with separate keys. For sanity check I installed http://repository.slacky.eu/slackware-12.1/system/encfs/1.3.2-1/encfs-1.3.2-i486-2kc.tgz and tried to execute it but I got a encfs: error while loading shared libraries: librlog.so.1: cannot open shared object file: No such file or directory I'm pretty confident that it should be working on unRAID due to its low dependency approach. BTW, when installing packages on unRAID, which slackware version should I be looking at ? (I'm running 4.45 Beta 12). Thanks Alphazo
December 3, 200916 yr For sanity check I installed http://repository.slacky.eu/slackware-12.1/system/encfs/1.3.2-1/encfs-1.3.2-i486-2kc.tgz and tried to execute it but I got a encfs: error while loading shared libraries: librlog.so.1: cannot open shared object file: No such file or directory I'm pretty confident that it should be working on unRAID due to its low dependency approach. BTW, when installing packages on unRAID, which slackware version should I be looking at ? (I'm running 4.45 Beta 12). Thanks Alphazo currently unRAID is based on Slackware 12.2, Obviously, the package you mentioned needs lib "rlog" I think it also depends on "boost" See this post: https://www.linuxquestions.org/questions/slackware-14/encounter-problem-in-configuring-encfs-694860/#post3396862
December 3, 200916 yr alphazo, thanks for the suggestion. One reason I want to stick with Truecrypt is because of the cross-platform compatibility. True, once a container size (or whole drive partition) is set, it won't grow. I haven't had a problem with this limitation (yet). Regardless how it is accomplished, my goal is to have an encrypted space that can be sync's with a encrypted backup. Until I figure out rsync, I'm sticking with a program called SyncBack SE. As suggested, being able to designate a disk (or share) as encrypted within unraid would protect against a stolen server. Not only is adding security a selling feature, but in the case of an encrypted share (if even possible), the space limitation is eliminated (shares grow anyhow) The only difference (might not be this simple) is the files are encrypted when copied to the share. User shares are one of the great features of unRaid and why I chose it as my storage solution.
December 3, 200916 yr encfs is great. I use it on my Arch laptop to secure most of my home directory. It uses FUSE exclusively so no kernel specific modules required. Compared to Truecrypt you don't have to reserve encrypted space in advance. It grows as your data grow. Basically you have one directory where files are accessible in clear text (when password entered) and another one full of the 'same' files (but encrypted) with garbage filenames. Size, permissions and access time remain visible so it doesn't protect you against all attacks but at least it adds confidentiality and protect your assets if hard drives are stolen. Furthermore compared to container schemes (TrueCrypt) you can do incremental backup of your encrypted data. One more amusing thing about encfs is that by default even root cannot access the directory you have mounted with your passphrase. This is something you need to enable. On the minus side it is not as cross-platform as Truecrypt (win, mac OS, Linux, not BSD) as it is not available under windows but hell that is not a real problems for backups. It would be a nice companion for unRAID where you could define multiple encrypted directories with separate keys. For sanity check I installed http://repository.slacky.eu/slackware-12.1/system/encfs/1.3.2-1/encfs-1.3.2-i486-2kc.tgz and tried to execute it but I got a encfs: error while loading shared libraries: librlog.so.1: cannot open shared object file: No such file or directory I'm pretty confident that it should be working on unRAID due to its low dependency approach. BTW, when installing packages on unRAID, which slackware version should I be looking at ? (I'm running 4.45 Beta 12). Thanks Alphazo I really like the sound of this. If you get any further with installation please let us know.
December 3, 200916 yr alphazo, thanks for the suggestion. One reason I want to stick with Truecrypt is because of the cross-platform compatibility. True, once a container size (or whole drive partition) is set, it won't grow. I haven't had a problem with this limitation (yet). Regardless how it is accomplished, my goal is to have an encrypted space that can be sync's with a encrypted backup. Until I figure out rsync, I'm sticking with a program called SyncBack SE. As suggested, being able to designate a disk (or share) as encrypted within unraid would protect against a stolen server. Not only is adding security a selling feature, but in the case of an encrypted share (if even possible), the space limitation is eliminated (shares grow anyhow) The only difference (might not be this simple) is the files are encrypted when copied to the share. User shares are one of the great features of unRaid and why I chose it as my storage solution. Hi Kapperz, I use both encFS and Truecrypt. While Truecrypt is great for portability between operating systems (I use it between Linux, MAC OS and Windows for my portable hard drive) I think it has some limitations on a network environment when used with unRAID. First it is not suited for multi-users because one user needs to mount one container so its content cannot be shared via unRaID. The second thing is potential corruption of the container during network disconnects. Lastly having a big container doesn't make incremental backup easy. That's why I believe that encFS is ok for an unRAID environment where the content can be either mounted (and shared) by root on unRAID or by users directly in their shared directory.
December 3, 200916 yr Well this certainly runs under unraid. I'm having a curious issue where creating a new encfs filesystem from scratch works with no problem and you can write to it (although doing this via a user share kills performance - due to going through two layers of fuse?) However if you unmount the filesystem (fusermount -u) and then remount, any writes you send to it will stall the system disk i/o to anything until the encfs process is killed. Anyone else tried? update : this seems to be quite random and is made worse by trying to write a large file. Smaller files seem to go through sometimes instantly, sometimes with a delay of seconds to minutes. Very odd.
December 3, 200916 yr Just posted a quick tutorial on encFS http://lime-technology.com/forum/index.php?topic=4804.0
December 3, 200916 yr Just posted a quick tutorial on encFS http://lime-technology.com/forum/index.php?topic=4804.0 Pretty much what I ended up doing - do you see the same problem as me? unmount and remount your encfs directory multiple times in one session and copy a variety of different files / sizes to it.
Archived
This topic is now archived and is closed to further replies.