Encryption idea request

[Sol42]

We all love having the ability to encrypt our data on our FreeNAS so if our NAS is stolen the data is inaccessible without the encryption key. This poses issues though in that you have to type in a password each time the system is rebooted and can leave your system inaccessible on the net if you're away during a power outage. You can store the encryption key so that it always boots and logs in, but then you defeat the purpose of securing your data if your NAS is stolen.

Here's my idea to overcome these limitations and forgive me if someone else has already thought about this. Can the encryption key be stored on a device that can be accessed on your local internet for zvol encryption login? Basically, we could put the encryption key on a shared device that is stored in a different part of the house or even on the internet. FreeNAS when it goes to mount the zvol would search for the encryption key at this location for it to login. If it can not find it, it simply can not mount the zvol and thus your encrypted data will be secure yet still available upon boot up after a power outage.

 

[Letni]

I would be OK putting the encryption key locally (say on your boot /root volume/pool) and having it auto-auth.

Keep in mind that yea, it may feel nice that encrypted data may feel nice that your NAS (in it's entirety) is somewhat more secure (in case the entire machine was stolen).. IMO, the more sensible reason for the Data "At-Rest" encryption is for single drive security.. Lets say you have a drive go bad and you replace it (resilver), you don't want the data on the drive (say you RMA it back to the manufacturer) it to be able to be forensically recovered (really just fragments of data given ZFS pool striping).. IMO you are 50x more likely to be in that scenario then having the machine stolen...

 

[depasseg]

I like it!