NAS - a question about encryption and hardware

[ipek33]

Hello,

I want to create my first home NAS. At the moment I have an old computer that serves as a desktop and SMB / DLNA server for other home devices.
Now I want to mainly use a laptop and iPad and create a comfortable server without a monitor on the desktop.

I use OpenSUSE because it has been a great system for me to reconcile desktop and server, but unfortunately it doesn't offer remote support.
I installed FreeNAS first in Virtualbox, then on an SD card but the BSD philosophy is completely foreign to me and English is not my native language.

At OpenSUSE I use a rather unusual configuration:
- some resources are available on the network via SMB / DLNA
- some resources are encrypted, mounted on demand and available via SMB.
Encrypting partitions in dm-crypt allows me to boot into live USB and mount all resources when needed (system failure).

I have a question if I can achieve similar functionality using FreeNAS:
- disk protection by encryption
- limited access for different users to different resources (user folders, archive with read and write rights)
- limited access to some resources (read) as in DLNA
- the ability to access data in the event of a system failure.

1) I know it is possible to encrypt drives in FReeNAS but does it work like dm-crypt in Linux?

At the moment I have 2 disks in the computer:
- 2.5 "HDD 500 GB (system, some data)
- 3.5 "HDD 1 TB (other data)

Under FreeNAS I want to use:
- used 2.5 "SDD 32GB disk
- I don't have enough space for data, I want to buy 2 x 3.5 "HDD 2 TB (RAID 1)

2) Will RAID1 for data be a good idea?
3) Is it better to use an SD card in the USB 3 slot (or even two cards - RAID 1 per system) instead of the old SSD?

I am sorry if I asked naive questions but FreeNAS is a difficult problem for me.

Greetings!

 

[sretalla]

1) I know it is possible to encrypt drives in FReeNAS but does it work like dm-crypt in Linux?

I don't know dm-crypt, so you'll have to tell me: https://www.ixsystems.com/documentation/freenas/11.3-U2/storage.html#managing-encrypted-pools

2) Will RAID1 for data be a good idea?

Depends on what you're looking for... I can assume a balance of capacity and performance together with redundancy... it will be fine for a 2-disk setup.

3) Is it better to use an SD card in the USB 3 slot (or even two cards - RAID 1 per system) instead of the old SSD?

You will probably be happier in the long-run with SSD as your boot drive (sector sparing is handled the best on those).

- disk protection by encryption

Yes, can be done as part of pool encryption process. It's tricky, so be careful you understand it well and keep safe copies of all keys.

- limited access for different users to different resources (user folders, archive with read and write rights)

Same permissions model as Linux with SAMBA ACL processing on top for shares.

- limited access to some resources (read) as in DLNA

There are a few plugins to do this (EMBY and Plex, for example).

- the ability to access data in the event of a system failure.

As long as you haven't lost encryption keys and your disks are in good health, your data is accessible on any system you boot FreeNAS on (either using the config file backup or even by importing the ZFS pool(s) on another system).

 

[ipek33]

I don't know dm-crypt, so you'll have to tell me: https://www.ixsystems.com/documentation/freenas/11.3-U2/storage.html#managing-encrypted-pools

Thank you very much for your answer!
I've seen this description before, I compared these systems on Wikipedia (dm-crypt and geli) but it doesn't tell me anything, unfortunately. I will try to explain it. The point is that the disk / partition is encrypted and will mount after entering the password (there is also the option of automatic mounting when e.g. the user's login password is the same as for decryption - that's how I mount the partition in the / user / ipek directory). I can also run another Linux with live USB and mount encrypted partitions after entering the password. In this way, the data is secure because it is encrypted but available in the event of a system failure.

Depends on what you're looking for... I can assume a balance of capacity and performance together with redundancy... it will be fine for a 2-disk setup.

I want to have a few years of peace that I can put all the pictures and be safe; I care about photo safety the most, less on movies or music, and he would use a second disk to backup photos.

You will probably be happier in the long-run with SSD as your boot drive (sector sparing is handled the best on those).

Ok, but this is not a new disk. Would it make sense to install the system on an SD card, then put it in a drawer and install the system on an SSD and in the event of an SSD failure to use the system with SD for emergency access to data? Or some option with live USB as in Linux?

As long as you haven't lost encryption keys and your disks are in good health, your data is accessible on any system you boot FreeNAS on (either using the config file backup or even by importing the ZFS pool(s) on another system).

I understand that the key to the encrypted disk is saved on the system, so a copy of the system or configuration file is important. However, I can (if I have understood correctly) use a password and not a key and then it should work as in Linux?

Once again, thank you and best regards

 

[sretalla]

Would it make sense to install the system on an SD card, then put it in a drawer

No. As an Appliance OS, FreeNAS doesn't really benefit from being installed and not run... just make sure your config is saved and you can make a new FreeNAS install any time from the website.

Or some option with live USB as in Linux?

FreeNAS is some kind of live install already... there is no cusomization made to the install for the hardware, so that boot drive can be used in any system (that will run FreeNAS) at any time.

I can (if I have understood correctly) use a password and not a key and then it should work as in Linux?

Be careful with that assumption... recovery keys and passwords are not mutually exclusive... I think keys are always required and passwords are an optional additional layer.

 

[ipek33]

Thank you so much for your comprehensive explanation. I think I tackled too many threads at once. I just want to explain one more thing. These are two different ways to protect yourself against system failure. The first is disk backup with the system. I did not quite mean it because I wrote about a backup installation that could be connected in the event of a system disk failure. As if a backup of the original installation. But that doesn't make sense if this system didn't contain configuration files, including encryption keys, right?

Therefore, one should go towards a regular system backup from time to time.
The second option is the live system, something like NomadBSD - let's assume my boot disk has been damaged. In the case of Linux, I take USB with live distribution, boot the system and have access to disks, even encrypted ones. In the case of FreeNAS, it will not be possible to read encrypted disks from e.g. NomadBSD if the keys were used for encryption and I do not have them saved. Because that's what data security is all about :)

That is why I was thinking about additional system installation on the SD card and using it in case of SSD boot disk failure. But I would also need keys here.

Thanks again for your time. I wanted to get some answers before installing FreeNAS and encrypting my data with myself;)
Greetings!