FreeNas Newbie Tackling Encryption

[Toadlips]

Good afternoon everyone,

I'm brand new to FreeNAS, and encryption is an important feature to me, so I've been doing my due diligence and reading up on it. One thing that concerns me is that any time encryption is mentioned in the forums, it seems to be discouraged so I want to make sure that I have my bases covered and understand the risks.

From what I have read, there are 2 main issues:

1. The user is responsible for backing up their keys -- the user 0 key as well as the per-drive master keys (using geli backup) minimum. As long as I have a backup of the user 0 key and the per-drive keys, I am set with this requirement, correct? From what I understand, the recovery key isn't required if I have the user 0 key and the geli backups. What's the real benefit of a recovery key?
   
2. A corruption in the last sector that holds the metadata (per-drive keys) will cause that disk to be unreadable. I believe that the typical scrubbing and inherent file repair of ZFS should help prevent this, but it is still a possibility. Does this have greater ramifications than a typical drive failure? In other words, will the entire pool fail because one of the keys on one of the drives has been corrupted?

The failed drive workflow in the manual seems strange to me with the "rekeying" and all that. In the event that a drive completely failed, would it be possible to take a new drive and apply the geli restore that corresponds to the failed drive to the new drive. Then, put it in place and let it resilver as if it were the old drive with some bad data? Am I coming out of left field on this?

My main concern is whether or not I'm at significant risk using encryption if I have all of the keys backed up safely.

Thanks!

 

[Bidule0hm]

I don't know if you've already seen this thread but it might interest you: https://forums.freenas.org/index.php?threads/can-drives-on-encrypted-zpools-ever-be-replaced.12827/

 

[Toadlips]

I don't know if you've already seen this thread but it might interest you: https://forums.freenas.org/index.php?threads/can-drives-on-encrypted-zpools-ever-be-replaced.12827/

Thanks, Bidule0hm. I had not seen that particular thread. Mostly what I got from that thread is that encryption can be finicky, but if you have your keys saved, you'll most likely be able to restore your pool.

 

[cyberjock]

Thanks, Bidule0hm. I had not seen that particular thread. Mostly what I got from that thread is that encryption can be finicky, but if you have your keys saved, you'll most likely be able to restore your pool.

Not sure I'd hang my hat on that. But I'm no crypto expert with GELI. There's definitely the chance that some bug will eradicate the data on a drive, so despite having the proper key you could still write nasty unacceptable data.

Just warning that you shouldn't hang your hat on encryption as the solution to all problems, and be respectful of the fact that encryption's job is to keep people out. "people" may refer to *you* someday if something goes sideways. There's plenty of threads and bug tickets that have ended with "sorry, your pool is gone. You'll have to restore from backup" that has been directly attributable to encryption.

I don't recommend encryption:

1. Unless its required by law. Anything else is just silly as there's plenty of other ways your key could be compromised.
2. You have a second independent backup of the data in case things DO go sideways.

 

[willnx]

Could someone educate me on this; I've never really understood the reason for encrypting a file system (beyond a government mandate).

To me, it seems like it really only prevents someone from physically obtaining a (or many) drive(s) and siphoning data off them by plugging the drive(s) into a new machine.
Maybe I'm lazy, but I would rather try and get the data off the system remotely, instead of pulling an 'Ocean's Eleven' to break into a data center and literally steal the physical drives.

Does encrypting a file system prevent other types of malicious attacks?

 

[Tywin]

Not sure I'd hang my hat on that. But I'm no crypto expert with GELI. There's definitely the chance that some bug will eradicate the data on a drive, so despite having the proper key you could still write nasty unacceptable data.

Is there such a bug in FreeNAS? There should be a ticket filed immediately if there is.

Just warning that you shouldn't hang your hat on encryption as the solution to all problems, and be respectful of the fact that encryption's job is to keep people out. "people" may refer to *you* someday if something goes sideways. There's plenty of threads and bug tickets that have ended with "sorry, your pool is gone. You'll have to restore from backup" that has been directly attributable to encryption.

Directly attributable to encryption, or directly attributable to the user not managing their keys properly? Proper key management is hard, and a necessary evil if you want to use encryption systems. Encryption systems that just swallow your data on you though? That's an entirely different matter.

 

[Toadlips]

Could someone educate me on this; I've never really understood the reason for encrypting a file system (beyond a government mandate).

To me, it seems like it really only prevents someone from physically obtaining a (or many) drive(s) and siphoning data off them by plugging the drive(s) into a new machine.
Maybe I'm lazy, but I would rather try and get the data off the system remotely, instead of pulling an 'Ocean's Eleven' to break into a data center and literally steal the physical drives.

Does encrypting a file system prevent other types of malicious attacks?

Hi willnx, there have been several incidents this past year that have made me seriously reconsider my backup and security strategy for my data.

My primary goal for using the full disk encryption is to protect my data from physical theft. I'd like to think that's a very slim possibility, but you never know. As it happens, this past year my laptop was stolen from my car which was sitting my driveway. They broke the window to get in, and, no, I didn't intend to leave my laptop in the car but you know how that goes. We had just traveled to China to complete an adoption and, believe me, there was a ton of personal information, documents, and photos stored on the hard drive. I had encrypted all of the documents using TrueCrypt before we left and I can't tell you how happy I was that I did that. All of the pictures we took on our trip were also on the hard drive. My wife would have probably killed me if they were gone. Fortunately, we had the original memory cards from the camera as our backup, but that was a close call. We kept 2 copies intentionally while we were on the trip but I just hadn't gotten around to copying them to a more permanent location. It's scary to think there was a possibility of losing the photos from the adoption of our child.

My wife also contracted the CryptoWall 2.0 virus which maliciously encrypted 3/4 of the documents on her computer, her ipod (which was connected to the computer at the time), and even the Windows Restore backups that I had on a separate drive. She lost a lot of her stuff, but our most important stuff was on our NAS (pre-FreeNAS). She had write access to the NAS share and CryptoWall was working its way through it, but fortunately I was able to stop it before it got to any important stuff. My only saving grace was that I kept an offline backup of that NAS drive or it would have been ugly -- I only backed up manually every so often to that offline drive so we still would have lost some stuff. If you're not familiar with CryptoWall, they encrypt the files and try to sell you the key for $500 to start, and then the cost goes up incrementally the longer you delay.

I think criminals are beginning to see that the data is more valuable than the hardware. You may have petty crooks looting homes for gems and PS3s, but it's not going to be long before those petty criminals are sending those hard drives and computers to someone who is looking to use that data to steal your identity, blackmail, whatever. Take a look at the emails that were released by that group that took down Sony.

At any rate, I'd like to do what I can where I can, and even though I'm not a prime target for data theft, I don't want to have to worry about it. If somebody steals my NAS they may have the hardware, but they won't have my data.

 

[cyberjock]

Is there such a bug in FreeNAS? There should be a ticket filed immediately if there is.

No, but that's not to say there won't be one. Encryption has suffered almost every kind of nasty undesirable bug you can think of except that one. So I figure its coming...

Directly attributable to encryption, or directly attributable to the user not managing their keys properly? Proper key management is hard, and a necessary evil if you want to use encryption systems. Encryption systems that just swallow your data on you though? That's an entirely different matter.

Mostly users that don't understand what they are getting themselves into. But even those of us that have been around and played with the encryption code before it was in an official build of FreeNAS can attest that it has had major major problems and we've had a few users that lost their pools while swearing up and down they kept their keys managed properly and it *must* be a FreeNAS bug. But if we can't reproduce it we can't fix it. One bug ticket I saw over the weekend was a guy that lost his pool in December. He's still asking for help if anyone can help him and the devs have long since walked away from it citing user-error.

I'm not overly worried about CryptoWall since I do snapshots regularly. If they encrypted the whole system I'd just roll back to a snapshot. Poof. Instant gratification (and saved myself $500+!). (Yes, I literally considered this potential outcome as a reason to setup snapshots on a zpool that doesn't truly need them).

I'm a bit less worried about theft of a NAS that most. Most thieves aren't trained to use Windows very well. What do you think will happen when the power it on and there's no graphical interface on the screen. Haha. They are usually of a very low calibre character and will sell all the hardware separately without any clue what they are doing. And as most IT people are Windows weenies and don't know what ZFS is (nor do they care particularly much) they likely will simply reformat the disk and use it for their data.

Anyway, I'll just say what I said before...

I don't recommend encryption:

1. Unless its required by law. Anything else is just silly as there's plenty of other ways your key could be compromised.
2. You have a second independent backup of the data in case things DO go sideways.

 

[Toadlips]

Cyberjock, your points are well taken. Encryption is another thing that can go wrong because it adds an additional layer of abstraction to the mix. There is also the last block metadata issue, but I'm still not quite sure how that would be worse than a generic drive failure especially since I have a backup of the per-drive keys. I'm going to err on the side of protecting my data through encryption. I've already resigned myself to the fact that the NAS cannot be my only backup for important documents so I'm just going to consider it another potential mode of failure and maintain regular backups.

Yes, I'm thinking that snapshots should handle the CryptoWall 2.0 issue. That, and I'm going to be restricting share permissions for files that should not need to be changed. If something infects the FreeNAS...well, it's time to hunt for the backups!

Thanks for your time and insights! I do appreciate it!