6.6.6 > encryption questions


Recommended Posts

Hey Unraid-ers, I have few questions in regards encryption.

 

I am a long-term user of TrueCrypt then VeraCrypt for Windows but now with my Unraid array in operation I am testing few encryption scenarios with the intention to move all my VeraCrypt files to Unraid. I am testing this on another PC using 2GB USBs (otherwise it will take to long to rebuild the array and perform parity check). I setup 4 drives (2 xfs based and 2 xfs-encrypted) as I only need to encrypt less than half of my files (namely financial data, documents, etc). And if something happen to my array, I can still recover the non-encrypted portion of my array. With the encrypted files, I do make regular backup on cloud/external storage as well, so minimal chance of losing critical data.

 

Now I have watched the awesome Spaceinvader One's video but I am a bit uncertain on few things:

1. Can I partially encrypt my array? Will that cause any security issue?

2. I encrypted 2 usb drives with xfs-encrypted by changing the default file system to xfs-encrypted but in the Main page (GUI) after pre-clean, formatting and attaching them to the array, they still say xfs, is that a normal behaviour? Also, I don't see the padlock sign like the video.

3. I restarted and rebooted the array few times to test it, and everytime it asked me to enter the passphrase, but I can enter any/new passphrase? Is that normal? When using TC or VC, I need to enter the same passphrase.

4. If somehow, I decided to take an encrypted disk from the array, is there an application that will allow me to see and transfer the files (obviously after entering the correct passphrase) ala TC/VC?

5. I can already limit the access to the encrypted shares (let's call it "secret" share) to other PCs in my network by changing the access level in SHARES, but I can't find any feature to block users from accessing the //tower in UNRAID. A user can still see what those files are by going to //tower and run the Krusader docker. Is there a away to limit access to //tower?

 

Thanks in advance for reading, and if you by chance know the answer and want to reply, even more thanks!

Link to comment
50 minutes ago, munchies2x said:

using 2GB USBs

Do you mean 2TB perhaps?

50 minutes ago, munchies2x said:

I encrypted 2 usb drives with xfs-encrypted by changing the default file system to xfs-encrypted but in the Main page (GUI) after pre-clean, formatting and attaching them to the array, they still say xfs, is that a normal behaviour? Also, I don't see the padlock sign like the video.

I don't understand. Are you saying you formatted them encrypted and then after that you precleared them, then formatted them, then assigned them to the array? That is all backwards.

Link to comment
5 hours ago, munchies2x said:

but I can't find any feature to block users from accessing the //tower in UNRAID. A user can still see what those files are by going to //tower and run the Krusader docker. Is there a away to limit access to //tower?

I am not sure i understand what you are saying here. It sounds like you are saying a user could go to the web gui start the Krusader Docker and get access to your files? Do your various users have access to the root password for your unRAID machine? 

Link to comment
18 hours ago, trurl said:

Do you mean 2TB perhaps? 

I don't understand. Are you saying you formatted them encrypted and then after that you precleared them, then formatted them, then assigned them to the array? That is all backwards.

No, actual 2GB USB sticks as it is only a test array to speed up the parity build, etc. I precleared using the plugin, then attached them into the array as per normal, then formatted them (before this I also set the default filesystem to xfs-encrypted).

 

14 hours ago, primeval_god said:

I am not sure i understand what you are saying here. It sounds like you are saying a user could go to the web gui start the Krusader Docker and get access to your files? Do your various users have access to the root password for your unRAID machine?  

Yes, exactly. That's the thing I don't know how to limit access to other users to the //tower. I know how to limit certain share to certain users but not to the //tower... may be I am missing something, but I can't find anything in the manual to do this....

Link to comment
6 hours ago, munchies2x said:

Yes, exactly. That's the thing I don't know how to limit access to other users to the //tower. I know how to limit certain share to certain users but not to the //tower... may be I am missing something, but I can't find anything in the manual to do this....

The reason you havent found anything is there is not a way. unRAIDs concept of users does not extend to the web GUI or to the underlying linux system. Users really shouldnt have or need access to the unRAID web GUI, only the admin. 

Link to comment

Just to fill in one little detail.

 

If you haven't set a root password, you can do that in the webUI by going to Settings - Users and clicking on the root user to get to that user's page.

 

Then, only people who know that password will be able to login to the webUI or at the terminal (console/telnet/ssh).

Link to comment
5 hours ago, primeval_god said:

The reason you havent found anything is there is not a way. unRAIDs concept of users does not extend to the web GUI or to the underlying linux system. Users really shouldnt have or need access to the unRAID web GUI, only the admin.  

Thanks, but isn't that provide a security hole to the encrypted drive? i.e. An unauthorised user can login to the gui, use the docker - like Krusader and see the encrypted files? Is there a docker/plugins that would provide access control? Even to just provide one logon (like root password) to protect the Web GUI.

 

5 hours ago, trurl said:

Just to fill in one little detail.

 

If you haven't set a root password, you can do that in the webUI by going to Settings - Users and clicking on the root user to get to that user's page.

 

Then, only people who know that password will be able to login to the webUI or at the terminal (console/telnet/ssh).

Thanks, I did setup a root password. To access the direct GUI (not //tower) after boot, I need to enter the root password. But I use several browsers (including the incognito mode) and I am still able to access the //tower without entering any password...

Link to comment
1 minute ago, munchies2x said:

Thanks, I did setup a root password. To access the direct GUI (not //tower) after boot, I need to enter the root password. But I use several browsers (including the incognito mode) and I am still able to access the //tower without entering any password...

You can logout from the GUI and from the terminal. GUI logout is on every page in the top right area.

Link to comment
3 hours ago, munchies2x said:

An unauthorised user can login to the gui, use the docker - like Krusader and see the encrypted files?

The docker engine is part of unraid, but your choice to install and run a specific docker, like krusader or dolphin, is purely your choice and your responsibility to secure.

 

If you secure the main GUI with a password, nobody can log in and start or install any dockers.

 

If you leave krusader running, that's on you.

 

In general, assume unraid is insecure and needs external protection, in the form of firewalls and physical security. It has no place being deployed directly in a public place, either physically or a public network.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.