KMIP for the people?

[dffvb]

So I have three interests: 1. Saving power and shutting down my machine at night, and 2. be protected against the results that can occur from physical theft of my box (e.g identity theft). 3. Have an automatic unlock when the machine boots from a secured machine (LUKS encrypted initrams and Kensington lock).
As it looks to me there is currently no way with TrueNAS Scale to achieve these three goals? I could unlock them manually upon each boot, but KMIP is only for enterpise correct? Are the other ways accomplishing this? Maybe there is a way for iXSystems to enable it in the community edition but limited so that enterprise users would still have to by enterprise?

 

[rivimey]

I am no expert, just another user, but:

A basic tenet of computer security used to be that unless you have physical security you have no security at all - in other words, with physical access to the system virtually all things are possible. Recently efficient whole disk encryption has made it possible to lose the physical machine without (necessarily) exposing its contents. However, that is only the case if the encryption key is not available to the physical hardware - so you need to key it in on every reboot or startup, or something equivalent.

If you e.g. use a key stored in an in-case TPM device all it means is your attacker needs the motherboard as well as the drives, which is the likely situation for a theft anyway. Using another device (perhaps a USB-keystore) and making it likely an attacker will disconnect it when grabbing the system (eg by putting it at the end of a long usb extension cord) could work. And yes, a network-based server holding the keys could also work - perhaps using network-boot/pxe to get an initial environment started which then boots the system with the correct keys. Another caveat is that with sufficient time, money and interest most encryption schemes can be broken: the best you can ever do is make it *really* expensive.

Saving power by switching the machine off is going to make the system harder to use. What you can do (probably) is to put it into a low-power state (sleep mode) such that the hardware is still alive, and so won't need reentry of the keys. Using a sleep mode you should be able to reduce power by 50%, perhaps more but it will depend on the hardware used and whether your sleep requests can get to all the hardware (some e.g. USB interfaces put roadblocks in the way). Don't confuse sleep mode with hibernate - usually hibernate would require the keys again because the cpu needs to recover the system ram image from disk, and the disk is encrypted (and putting the hibernate image on unencrypted disk is no solution).

If your device is indeed stolen you will need a backup, and of course all the same security concerns need to apply there. I use LTO tape drives, which secondhand are cheap for the LTO4/5 series, so you could contemplate relying on tape or perhaps removable disk backups to another site (don't only focus on theft : fire/flood happens too).

HTH.