I would like to build a NAS based on freeNAS using the ASUS P9DI motherboard a Xeon CPU and some ECC RAM.
I need the data on the NAS to be encrypted securely, but at the same time I need a convenient way to access them.
Since burglaries happen quite often in my district and data often is the target, I want to keep the NAS turned off when I don't need it.
However, when I decide to watch a movie from my NAS and turn it on via Wake On LAN, I don't want to go downstairs to where the NAS is located to enter the decryption password. I would like to decrypt it remotely and ideally I would just run a bash script on my laptop, phone or tablet that simply asks for the password and takes care of the rest. I was wondering if that can be done reliably and securely.
At first I was thinking about simply setting up some sort of Arduino, ESP8266 or Raspberry Pi and program it to expose an API to which I can send commands that then get translated into keyboard input and get sent to the NAS via USB. (Doing that would be trivial for me as I have quite a lot of experience with these sorts of micro controllers.) But I think it wouldn't be very secure unless I would spend a significant amount of time on writing something that can ensure the the device has not been touched. The most obvious attack that I would fear in this case would be someone reprogramming the micro controller and the next one would be someone using a hardware keylogger since both of these attacks would be very trivial and cheap.
Another problem with that idea is that I could only guess when exactly the device can start entering the password. So I would have to add a long delay before entering it which would be annoying because I'd be wasting time unnecessarily.
Then I realized that the motherboard supports some sort of remote management features and now I'm wondering if could use those features to enter the password remotely from a script. The features are called "ASMB7-iKVM" and "ASWM Enterprise" from what I can tell.
I think that would be much more secure as both of the before mentioned attacks would work against that.
Also: Has anyone done something like that before?
Oh before I forget, I don't want to discuss how paranoid I am or how likely it would be that someone would try to steal my data.
I need the data on the NAS to be encrypted securely, but at the same time I need a convenient way to access them.
Since burglaries happen quite often in my district and data often is the target, I want to keep the NAS turned off when I don't need it.
However, when I decide to watch a movie from my NAS and turn it on via Wake On LAN, I don't want to go downstairs to where the NAS is located to enter the decryption password. I would like to decrypt it remotely and ideally I would just run a bash script on my laptop, phone or tablet that simply asks for the password and takes care of the rest. I was wondering if that can be done reliably and securely.
At first I was thinking about simply setting up some sort of Arduino, ESP8266 or Raspberry Pi and program it to expose an API to which I can send commands that then get translated into keyboard input and get sent to the NAS via USB. (Doing that would be trivial for me as I have quite a lot of experience with these sorts of micro controllers.) But I think it wouldn't be very secure unless I would spend a significant amount of time on writing something that can ensure the the device has not been touched. The most obvious attack that I would fear in this case would be someone reprogramming the micro controller and the next one would be someone using a hardware keylogger since both of these attacks would be very trivial and cheap.
Another problem with that idea is that I could only guess when exactly the device can start entering the password. So I would have to add a long delay before entering it which would be annoying because I'd be wasting time unnecessarily.
Then I realized that the motherboard supports some sort of remote management features and now I'm wondering if could use those features to enter the password remotely from a script. The features are called "ASMB7-iKVM" and "ASWM Enterprise" from what I can tell.
I think that would be much more secure as both of the before mentioned attacks would work against that.
Also: Has anyone done something like that before?
Oh before I forget, I don't want to discuss how paranoid I am or how likely it would be that someone would try to steal my data.