Steal safe encryption on FreeNAS drives

[Vadasd]

I am looking for a way to encrypt my drives so they can only be mounted if I manually type in a password. The encryption methods supported by FreeNAS only work if the drive is removed from the server, but not if the server is stolen with the drives since it automatically decrypts the drives. If I am not mistaken, this means if the server gets stolen, the encryption key is on an unencrypted disk (where the OS is installed) which means that my encrypted data is readable to the criminals by simply getting the key file from the OS disk then importing the encrypted drives with that key to another FreeNAS server.

I have some sensitive data about my clients and I must make sure that even if my server gets stolen, the data will not be readable to third parties.

Is there a solution to make this work or FreeNAS is not suitable for this task?

 

[HoneyBadger]

The encryption methods supported by FreeNAS only work if the drive is removed from the server, but not if the server is stolen with the drives since it automatically decrypts the drives.

This is only one method of "encryption" which is more suited to ensuring data is not recoverable when drives are shipped for RMA.

For others that will satisfy your requirements, please see the documentation under "Managing Encrypted Volumes"

8. Storage — FreeNAS®11.2-U7 User Guide Table of Contents

www.ixsystems.com

You can opt to require a passphrase on boot, or additionally store the keys externally from the FreeNAS system.

Please note that when using encryption, backups become even more important. There is no "backdoor" if you forget your passphrase or lose your keyfile.

 

[Vadasd]

Thanks for the reply! I am using FreeNAS 11.3 RC1 (I know, I know.. it is not a stable version but since I am only testing FreeNAS yet, it won’t be a problem for me) so I looked up the documentation for that version which says:
”Encryption operations are seen by clicking  (Encryption Options) for the encrypted pool in Storage ➞ Pools. These options are available: Lock, Unlock, Encryption Key/Passphrase”
None lf these options show up (reset keys and recover keys are the only two options under the lock icon).
What am I missing (yes, I did check the encrypt checkbox when creating the pools)?

 

[HoneyBadger]

Honestly I've yet to use 11.3 so there might be something missing or vastly different in the UI here; but you should be able to change the key storage/passphrase behavior, since that's just a matter of the lock/unlock process and doesn't require changing anything on the pool or GELI settings itself. Sorry I can't help more here.

 

[HolyK]

this means if the server gets stolen, the encryption key is on an unencrypted disk (where the OS is installed) which means that my encrypted data is readable to the criminals by simply getting the key file from the OS disk then importing the encrypted drives with that key to another FreeNAS server

Add a passphrase and you're safe. If there is passphrase set on your pool you need both encryption key AND the passphrase in order to unlock the pool. So if someone steals your disks or your whole server they will be not able to unlock the pool unless they know the passphrase.

In theory the only way how they could really steal your NAS and read the data would be if they would steal the whole server together with connected UPS (!!). Then they would have to run away with both things connected together (imagine that for a second ... lol :D) and manage to connect the UPS back on power source before it runs out of juice, then connect the monitor and other things to read the data.
To make this even harder is to set auto-shutdown of your NAS in case the UPS is on battery for more than #min (like 1 or two mins). In that case the ninjas would have to bring their own UPS, disconnect your UPS from power source and connect it to their UPS. Then they would have to run away with all three things hooked together. If you tangle the cable between server and server a bit then they might need to steal whole rack OR cut it into pieces... Another way would be if they connect monitor and keyboard to the server hoping for open root shell in order to disable the autoshutdown due to power disconnect from UPS. That you can mitigate by locking the root shell via lock -n (-n = no timeout). Actually you should do that anyway if you think someone coul

Soooo, yea, ... please share the security footage about bunch of guys trying to sniff the octopus from your home :D

 

[HoneyBadger]

In that case the ninjas would have to bring their own UPS, disconnect your UPS from power source and connect it to their UPS.

It's not worth the risk of the OS being configured for immediate shutdown on power loss and losing our chance at a live system capture; we'll bring a plug-capture-device and wire piercers just in case.

But at that point you're dealing with Alphabet Agencies and not your average smash-and-grab.

 

[HolyK]

@HoneyBadger Hah yea it depends on your paranoia level and content you're trying to "secure". If the "client data" are lets say "not-so-legal" at the level that certain agencies will want to seize your server then you have more things to worry about rather than NAS itself. I assume at that point you wouldn't even have that server at your home. A simple "Evil maid HW keylogger" would capture the passphrase unnoticed.

BTW: The delayed system shutdown is OK to bypass short power outages. So if the power gets down for few secs clocks will start ticking and if it gets resumed till <insert value> then system keeps running. Otherwise a clean shutdown is initiated before UPS runs out of power. Without the "delay" you would end up with system offline every time this happens. So the question is how often this is happening at your location.