ZVol Encryption key offsite storage / Web check-in

[Sol42]

One of the worst things to happen to a business or even a home user is to have their data stolen. As it stand, if someone were to steal a FreeNAS box, the perpetrator could gain access to the data if it had been setup to store the encryption key on the server. Sure, you can make it password protected, but then that defeats the ability for the box to come up after a power loss.

The solution I can see to cover in this area would be the ability for the FreeNAS unit to sftp into a website, log the IP address it is reporting from (i.e. might require using an outside source to see the internet ip) and then access the encryption key in order to open the ZVol.

Does this sound feasible and a possible good idea? It's similar to what 'Lookout', 'Where's My Android', and Apple do for cell phones in case of loss / theft.

 

[cyberjock]

Sure, that would work. That's far beyond what the intent of the encryption on FreeNAS is designed to do. The only thing the encryption on FreeNAS is designed to do is prevent someone from obtaining the disks and recovering data from them. That's about it.

Anything else is far beyond the scope of what the encryption is designed to do. You could probably code something up using the FreeNAS APIs, but that's about it. I doubt that your idea would be accepted if you put in for it, but you are welcome to try.

 

[jgreco]

So what you're proposing is that it should retrieve the key by default from remote. So when that bad guy steals your NAS and manages to hook it up and get it booted before you realize it has been stolen, or before you can get into the sftp server to remove the password, it'll cheerfully boot up for him and give him access.

Fail.

 

[Sol42]

No Mr. Grinch,

You miss the point! More than likely you'll know that your equipment was stolen! Hopefully by that time you've moved the key off the remote site. If you really want to get technical about it, you can also limit the remote site connectivity by your home or business web address!

Success!

 

[jgreco]

You'd be better off designing a system that required an administrator to intervene. Encryption as currently implemented is intended to prevent recovery of data off the system under specific circumstances, such as after a reboot (could be someone trying to break in, or theft) or data being left on disks (think about RMA'ing a failed disk).

Automatically retrieving an unlock key without explicit administrator approval effectively reduces the protection level and offers an attacker more paths to bypass the protection. That means that one must carefully consider the conditions under which this might happen and determine whether or not the tradeoff is acceptable. The use of "hopefully" conditions such as

Hopefully by that time you've moved the key off the remote site.

is not a particularly reassuring sign of a well-thought-out security plan. I think I don't miss the point at all. And you did ask for comments.