GELI keyfile and stolen NAS

[panz]

Setup: FreeNAS box with disk encryption.

What's going to happen if my FreeNAS box is stolen?

As far as I understand, to init the encrypted HDs, someone needs the Recovery Key (aka the GELI keyfile). Where is it stored? The "bad guy" could have access to it?

 

[cyberjock]

It's stored nowhere except where you download it to. If you lose the recovery key and the key+passphrase your data is done.. for good. The other thread you posted in has your answer...http://forums.freenas.org/threads/encrypt-or-not-encrypt.13008/#post-64595

The USB key and your hard drives do not have anything on them except the "lock". Unless you provide the "key" by uploading it through the GUI the only way is to brute-force the encryption.

So if they steal your box, all your corporate secrets/home pictures/whatever are protected. If they steal your FreeNAS box AND your encryption keys AND know how to use the keys to unlock your FreeNAS box, then they can get to your data. That's why the manual says to safeguard your encryption keys and passwords. I will say that the common thief isn't going to have the knowledge to even figure out how to use your key, even if you had a sign on your USB stick that said "encryption key here".

Now if you're trying to prevent the US government from getting at your data you shouldn't expect that level of protection. There could be bugs with the implementation in FreeNAS or the gov't may be able to brute force crack the encryption and get at your data.

I consider the encryption in FreeNAS to be sufficient to protect my data if my server is stolen or if I have to RMA a hard drive, but that's all.

 

[panz]

I think that my confusion is due to my personal lack of knowledge about GELI. To test FreeNAS in depth, I'm trying to reproduce FreeNAS' encryption sequence on a standard and clean installation of FreeBSD 9.1.

I followed these steps (da3 is the target drive):
1) dd if=/dev/random of=/var/backups/first.key bs=64 count=1
# this sets a new keyfile

2) geli init -s 4096 -P -K /var/backups/first.key /dev/da3
# this is the initial condition (I suppose) when, in FreeNAS, we set the encryption, but no passphrase has been entered yet;

Now I stop at step 2), because I can't match FreeNAS' terminology with geli manpage list of options. The next step should be add password/passphrase, but if I write:

3) geli setkey -n 0 -k /var/backups/first.key /dev/da3
#it overwrites the Master Key with the password/passphrase and doesn't add the passphrase to the keyfile; I'm not using "-n 1" because the next step should be "generate recovery key" which obviously should take place into "slot" (or "keyno", as the man page calls it) # 1 of user's keys (slots available are and 1).

So:

FreeNAS terminology GELI terminology
passphrase passphrase (this is OK)
key keyfile? Master Key? keyfile in slot # 0 with passphrase?
recovery key 2nd keyfile, slot # 1, without password?

 

[panz]

Sorry, bad alignment
(2nd take):

FreeNAS terminology -> GELI terminology
passphrase -> passphrase (this is OK)
key -> [keyfile]? or [Master Key]? or [keyfile in slot # 0 (zero) + passphrase]?
recovery key -> [2nd keyfile, slot # 1, without passphrase]?