How to protect Hardware? How to set a password?

[green22]

Hello,

I use ZFS encryption because I want to protect my data if the server has been stolen.

I just recognized you can boot the hardware with monitor and keyboard and are able to set a new root password without the need to type the old one in first?!

How to deal with this? I don’t want to enter a password on boot, but if someone tries to make changes he should be forced to enter a password.


If there is no ways to do that, maybe someone can give me the right keywords how to use a key file to boot (if possible). The workaround plan is to connect a USB-device with the keyfile with the building, thus robbers would only take the server but not the keys to unlock it.

Thanks

PS: Future plan is to migrate to Scale because of KVM, I am just waiting for the right moment.

 

[danb35]

I just recognized you can boot the hardware with monitor and keyboard and are able to set a new root password without the need to type the old one in first?!

Advanced |

Advanced

www.truenas.com

 

[winnielinnie]

Trying to understand what you want to achieve.

Is your concern that anyone can access your ZFS encrypted datasets because the keyfile (used to unlock them) is sitting on the boot device, of which anyone can easily access?

As for the issue with the "root" password: once someone gets unhindered physical access to your hardware, it belongs to them. Your only protection is "at rest" encryption.

 

[ver151set]

I just use passphrase encryption. Boot it all they want, as soon as its shutdown/moved the datasets are locked until you put in your super secret password

KVM seems cool I guess but fwiw Ive been using bhyve with no issues for quite some time

 

[ChrisRJ]

Adding to what @winnielinnie wrote: If your goal is ensure that in case of the NAS being stolen, nobody can access your data, your only option is to separate the secret from the NAS. In other words, you either need to provide a passphrase during boot time (the secret is in your head). Or have the keyfile on a USB drive that gets removed from the NAS after boot (the secret is not with the server). Whether the latter approach works in practice, I do not know. Plus if the USB drive is stolen as well, you gained nothing. So if you are really paranoid, I would recommend the passphrase, at least without having more details.

 

[winnielinnie]

Or have the keyfile on a USB drive that gets removed from the NAS after boot (the secret is not with the server).

Unfortunately, this is not an option when using TrueNAS (the appliance that it is), since it requires the keyfile to be present at boot time to automatically unlock the top-level root dataset, in order to have immediate access to the System Dataset. (It's also the reason why you're prevented from using a passphrase if the System Dataset lives in the data pool.)

A way around this (if you prefer a passphrase) is to place the System Dataset on the boot pool (hopefully not a USB, but rather an SSD/NVMe.)

With "vanilla" ZFS, it's possible to use a custom location for the keyfile; however, with TrueNAS you cannot place the keyfile in a custom location.