Where does disk encryption stand?


Recommended Posts

2 hours ago, xRadeon said:

Is there any particular reason Unraid doesn't use the TPM to store the key? Is this a Linux thing? Or more of a file system thing? It's just strange coming from Windows is all...

Even coming from linux, it's rather peculiar to have such importance put on a USB stick. And it seems insecure. You grab the stick, change config and you have full remote access to everything on the server. I don't know, I would not design it this way either.

I'm experienced closing down co-located hardware in ways that prevent datacenter personnel or thieves from easily getting access to the data and servers. A USB stick with the bootloader and full config is not exactly how I would do that..

Edited by fluisterben
Link to comment

The passphrase (or key-file) to unlock encryption is not stored permanently on the system or the USB device at all.

The passphrase (or key-file) is needed to start the encrypted array. At this point the system asks for input and saves it in the folder /root (in RAM).

Once the array is started the file in /root isn't needed anymore and the GUI offers the possibility to delete it. This prevents any theft or security breach..

File deletion however means that when the array is stopped and restarted, it is necessary to enter the previous passphrase (key-file) information again.

 

  • Like 1
Link to comment

Many new users are needlessly concerned about the role of the USB flash drive Unraid boots from.

 

Here is one way to think of this.

 

Unraid is an "embedded" system, like many NAS, or your router, or other devices that have "firmware". The OS is loaded from the "firmware" into RAM, and the OS runs completely in RAM.

 

The USB flash drive in Unraid is "firmware" that is easily updated, easily backed up, easily replaced. And because all these things are easily accessible, it is impossible to "brick" this "firmware".

Link to comment
19 hours ago, trurl said:

The USB flash drive in Unraid is "firmware" that is easily updated, easily backed up, easily replaced. And because all these things are easily accessible, it is impossible to "brick" this "firmware".

Not sure if that would be reassuring for newcomers. ;-) It's the "easily updated" thing that makes it less secure. Unraid doesn't use a key-exchange or encrypted file-hash check over TLS or anything of that nature. Again, I'd advice to implement an alteration of CSF/LFD scripts built in the OS. At the very least you need to inform the user when files on the USB stick have been altered by something other than Lime tech themselves. Directory and file watching, with a default set of dirs and files. Thus far I've not seen unraid do anything of that nature. For now we should see unraid as a DMZ and treat it as such, but still, the easily removable flash with its firmware, hmm.

For our use here at home I'm not worried, because our unraid hardware is very well hidden, but any USB stick that can be pulled out, which itself isn't encrypted in any way, on which you can easily put something that boots for your remote exploit is not 'secure'; You take it out, put it in a laptop or smartphone, change config or plant that exploit, put it back in, powercycle the server, and you have your remote root access, done in 1 minute flat. Just sayin'.

Link to comment
  • 2 years later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.