Ben1010101
Cadet
- Joined
- Jan 28, 2017
- Messages
- 3
Hi everyone,
I've just assembled my first NAS server. The hardware specifications are as follows:
After reading various topics regarding disk encryption, there appears to be some confusion amongst FreeNAS users on the relationship between the encryption key, passphrase, and recovery key. In addition to this, the official documentation seems to be slightly ambiguous (but perhaps this is just due to my inexperience in this area). Ideally, I'd like to have a clear understanding of disk encryption within FreeNAS before copying across irreplaceable data. Are the following assumptions correct?
Encryption Key (applicable options include "Download Key" and "Encryption Re-Key"): the cipher which is used to encrypt/decrypt the data contained within the disk/volume. If the encryption key is unavailable (i.e. the FreeNAS system disk has been destroyed and no manual backup was previously performed), then the volume cannot be mounted/recovered, regardless if the passphrase is correct or the recovery key is available.
Passphrase (applicable options include "Create Passphrase" and "Change Passphrase"): optional, but used as an additional layer of security to encrypt/decrypt the encryption key (above). If the passphrase is set, the combination of the encryption key and the passphrase (or the recovery key) is required to mount/recover the volume. If the passphrase isn't set, only the encryption key is required to mount/recover the volume. Hence, setting the passphrase prevents data recovery when the physical hardware is taken off-site (i.e. returned to the manufacturer or stolen).
Recovery Key (applicable options include "Add Recovery Key" and "Remove Recovery Key"): optional, but essentially replaces the passphrase in situations where the passphrase has been forgotten.
Hoping that the above assumptions are correct, I did the following:
I apologise for the long-winded post, but would appreciate any feedback. Thank you!
I've just assembled my first NAS server. The hardware specifications are as follows:
- HP Proliant ML10 V2
- 16GB (4 x 4GB) DDR3 1600MHz (@ 1333MHz) ECC
- Intel Pentium G3240
- Seagate ST1000DM003
- Toshiba DT01ACA300 (Quantity: 2)
- SanDisk SDCZ43-016G (Quantity: 2)
After reading various topics regarding disk encryption, there appears to be some confusion amongst FreeNAS users on the relationship between the encryption key, passphrase, and recovery key. In addition to this, the official documentation seems to be slightly ambiguous (but perhaps this is just due to my inexperience in this area). Ideally, I'd like to have a clear understanding of disk encryption within FreeNAS before copying across irreplaceable data. Are the following assumptions correct?
Encryption Key (applicable options include "Download Key" and "Encryption Re-Key"): the cipher which is used to encrypt/decrypt the data contained within the disk/volume. If the encryption key is unavailable (i.e. the FreeNAS system disk has been destroyed and no manual backup was previously performed), then the volume cannot be mounted/recovered, regardless if the passphrase is correct or the recovery key is available.
Passphrase (applicable options include "Create Passphrase" and "Change Passphrase"): optional, but used as an additional layer of security to encrypt/decrypt the encryption key (above). If the passphrase is set, the combination of the encryption key and the passphrase (or the recovery key) is required to mount/recover the volume. If the passphrase isn't set, only the encryption key is required to mount/recover the volume. Hence, setting the passphrase prevents data recovery when the physical hardware is taken off-site (i.e. returned to the manufacturer or stolen).
Recovery Key (applicable options include "Add Recovery Key" and "Remove Recovery Key"): optional, but essentially replaces the passphrase in situations where the passphrase has been forgotten.
Hoping that the above assumptions are correct, I did the following:
- Created an encrypted volume.
- Removed the recovery key via the "Remove Recovery Key" option (potentially redundant if only one recovery key can be active at any given time).
- Set the passphrase via the "Create Passphrase" option.
- Generated a new recovery key via the "Add Recovery Key" option.
- Downloaded the recovery key to an encrypted local computer, which syncs with a cloud service.
- Downloaded the encryption key to an encrypted local computer via the "Download Key" option, which syncs with a cloud service.
I apologise for the long-winded post, but would appreciate any feedback. Thank you!
Last edited: