Is my data safe?

[astronaute]

I cannot find disk encryption settings in FreeNAS 8 that I just installed (raidz), so I would like to know if anyone can access my data if for example someone stole my NAS server ?

If yes, knowing that I boot from USB drive, if server is stolen without that USB drive, can data be accessed now ?

And generally speaking, if you have advices on securing data on NAS so no one can access it without proper password even if the server is stolen, please give some advice.

Thank you :)

 

[matthewowen01]

yes they can access it just fine for both cases.

it's trivial to import a pool that was not properly removed from a server.

as for security, encrypt all your data at the file level and Never write unencrypted data to your disk. ZFS is Terrible for security as it is a Copy On Write file system, meaning you never overwrite data, when you make changes to a file, a new file is created elsewhere and the old one is dereferenced. if you accidentally write a file with sensitive data on it, deleting it, or doing the traditional wipe with dd will not actually delete your data and you cannot overwrite your slack space because filling up a zfs volume has tragic results.

 

[astronaute]

Alright, I get the whole ZFS write issue.

Is there some easy way to enable volume or virtual volume encryption maybe through TrueCrypt or some similar software so in order to access the volume users have to enter password first, or some passphrase stored on USB drive ?

 

[matthewowen01]

you could use a truecrypt container easily. but that would be single user. I'm not very knowledgeable with encryption and BSD.

for my encryption needs, i run Solaris Express and use ZFS's encryption.

 

[astronaute]

Okay so no way to encrypt data easily, guess I'll have to wait for FreeNAS 8.1 unless someone suggest some other solution :)

 

[SoftDux-Rudi]

I'm looking for a way to encrypt all data on a FreeNAS NAS as well, but preferably system-wide. I've honestly never used this kind of encryption, only TruCrypt - but it's a rail pain in the neck to use over LAN on the SAN. It's slow, and only workable for one user.

So if anyone has some idea of how I can encrypt all the data of the NAS's drives, which are setup with ZFS RAIDZ, and shared via iSCSI, as well as NFS & SMB ( I have different type's of OS's connected to the NAS) then please share some thoughts. Ideally it should be something where once the NAS is booted up, someone has to either type in a password to decrypt the data for that session - i.e. it should be decrypted for as long as the FreeNAS is on, but once it reboots or looses power it should be encrypted.

 

[cbray]

security vs. $$$, time and effort...

Please remember that any 'lock' that a man can make, another man will be able to unlock. Securing data is like securing your home. How well it keeps burglars out has a direct correlation to how much money (or effort, time or hardware) you put in to it.
On my first day of computer class the teacher said these words: "Anything you can imagine can be done with a computer, given enough money, time and effort." I am constantly reminded of that phrase when I enter my office and see the 25" High-Def Flat screens. In 1978 we were hoping they would make displays larger than 9" that we could afford someday(in '82 or '83 a 12" green phosphorus monitor sold for $500). And color displays were just a dream that we could not afford as students.

"Anything you can imagine can be done with a computer, given enough money, time and effort."

Someday even a blow job will be done with a computer. In 30, 50 or 100 years that will become reality. Although probably no one will admit they are working on the project, S E X still drives a lot of innovation of the internet, because they make the money to afford it.

So my experience tells me that no data will ever be "bullet proof" secure. I have seen so many times, examples of software locks, encryption, copy protection and so many other 'security measures' being defeated by people "just because".... The FBI (and other government agencies with 3 letter names) can read hard disk platters that were broken in half. They can actually read the disk with an electron microscope and can see if the iron oxide indicates a 0 or 1.

It will always go back to how much time, money and effort are you willing to put into the process to "lock it up" ?

CB

 

[joeschmuck]

As for the electron microscope comment, very true. I have some photos of volatile memory that were tested to ensure complete erasure and they failed. It's a military project where there was to be no trace using current technology. Of course we got what we needed, it only had to be designed first but with $$$ comes the break through. But breaking a password could take a very long time even with current tools of today like distributed processing. Just keep your password up to government standards and the data should be safe for a long time.

As for encryption of a NAS, you would always need to enter a password when you powered it up at a minimum or it wouldn't be very secure.

Any I do remember TTY screens actually being a piece of paper but eventually got to see screens being 9" and yea, green.

 

[matthewowen01]

encryption is a time game. all encryption (except a one time pad) is breakable give enough time. the point of encryption is to make the data irrelevant by the time it's cracked. my super secrete stock tip i sent you is only valid for a few days. my insider trading tip that has jail time and a statute of limitations of 5 years is valid for at least 5 years. the murder confession, you'd better make that secure.

 

[cbray]

Tty

Darn Joe,
I forgot about the days of 'downloading' pictures and programs via HAM radio...
Snoopy pic made all of characters to TTY/serial printer. We thought that was 'kewl'

 

[joeschmuck]

Darn Joe,
I forgot about the days of 'downloading' pictures and programs via HAM radio...
Snoopy pic made all of characters to TTY/serial printer. We thought that was 'kewl'

And if you wanted a digital readout you bought Nixie tubes. Those where the days!

 

[Piggie]

Someday even a blow job will be done with a computer. In 30, 50 or 100 years that will become reality.

Dam, why was I born too early? ;)