Adding encryption

[glotzer]

Hello all together,
not long ago i built my FreeNAS box and its working great so far. The only problem i have with it, is that i didn't create an encrypted zfs-volume, but an unencrypted. I used the box a lot since then, including jails and plugins.
Not i want to use encryption and i am thinking about how to do this the easiest way.

Right now around 2tb are used.

So far my idea is:

1. Add 2x 3tb external USB disk (either find a way to borrow them or buy them for amazon to send them back after... i know that is not nice but i see no other way, i am not rich enought to simply buy them to keep)
   
2. creating a mirrored ZFS pool over both of them.
3. using zfs send to copy my pool over
4. making a backup of my config with the gui
5. making a fresh usb stick
6. recreate my pool but with encryption this time
7. backup the keys, test the encryption etc
8. copy back my pool with zfs send
9. load the config back by the gui
10. reimport my encrypted pool using the backed up keys
11. overwrite the external disks with /dev/random

I wonder if thats going to work or if i missed something

Thanks a lot in advance.

 

[Yatti420]

I believe you will have to recreate the pool with encryption enabled.. I wuld offload all data and recreate just to be safe..

 

[joeschmuck]

My advice is to read all the encryption issues people have had and taking note on when a drive fails how things can go terribly wrong very quickly. There is also metadata you didn't mention which is not automatically saved, it's a very manual operation but maybe you already know about it but it is required if you do need to replace an encrypted drive. Once you replace the drive you MUST let it resilver before doing anything else and there is more about writing new keys which MUST be done before rebooting to get all the drives on the same page or your data is toast.

What I'm saying is, if you don't need encryption, don't use it. If you need it or want to play with it then just be sure you understand what it take to replace a failed hard drive.

 

[glotzer]

Thanks for the answeres!

Im not 100% sure what way of encryption i will go, actualy i see 2 options:

• using the GUI and encrypting the whole pool
• using a jail wich mounts encrypted homes via a script into a share (ssh and setuid), the pw would need to be supplied client side and the home is automatily unmounted after x hours.

I would prefere the 2nd way, but im unsure about data leaking into unencrypted sections as well as if it works to mount stuff from inside a jail into a share.
The reason i want encryption is simply: there are private and sensetive information stored on the NAS that i do not want to leak under any circumstances. Right now they are stored in shared TrueCrypt containers, but thats not realy good to manage.

Is the 2nd way posible? I know that i will loss some stuff from ZFS (clones and snapshoots mainly) but i do not realy need those. What i need is my data to be save, and by save i mean save from others and save on the disk.

I thought about using an encrypted TrueCrypt Container mounted inside a jail and creating another ZFS pool on this encrypted file wich itself is in the FreeNas ZFS Pool, i personaly think that would work well but i wonder what you think.

Anybody got some ideas here?

 

[Yatti420]

I would stick with truecrypt if you understand it and simply mount the file/container when necessary..

I thought about using an encrypted TrueCrypt Container mounted inside a jail and creating another ZFS pool on this encrypted file wich itself is in the FreeNas ZFS Pool, i personaly think that would work well but i wonder what you think.

Not 100% what you mean by this.. If you already have an encrypted container then there is nothing to worry about.. You clients should be able to mount that container on their pcs with no issue.. If you mean placing a zfs pool within that encrypted container I wouldn't do it..

 

[glotzer]

I do want to handle the wohle encryption server side not on clients. Means clients tell the server to mount the container (over ssh) and then accsess it as share. Just wondering if thats save, especialy i wonder if FreeNas does any unencrypted caching and if snapshots include filesystems mounted inside of zfs pools