Cloud credentials security

[Wania]

Are saved cloud providers logins/encryption passwords (system -> cloud credentials) protected in any way, or are they stored in plaintext in configuration?

 

[dlavigne]

From https://www.ixsystems.com/documentation/freenas/11.2/system.html#general:

There are two types of passwords. User account passwords for the base operating system are stored as hashed values, do not need to be encrypted to be secure, and are saved in the system configuration backup. Other passwords, like iSCSI CHAP passwords, Active Directory bind credentials, and cloud credentials are stored in an encrypted form to prevent them from being visible as plain text in the saved system configuration.

 

[Wania]

My cloud sync tasks appear to be working without any prompt after reboot. Is is possible to somehow password-protect them, so that it FreeNAS is unable to automatically use them?

I'm mostly concerned about protecting data in case of theft - even if all HDDs, as well as remote cloud storage data, is encrypted, if attacker can easily obtain a copy of data and encryption keys from those settings, it kind of defeats the purpose. How can I prevent this?

 

[dlavigne]

I'm pretty sure you would need to use the API or rclone directly to only pass the creds for that session.

 

[Wania]

Why not just encrypt and password protect file containing those cloud credentials and cloud sync passwords and pause all tasks requiring it until it's been "unlocked" after reboot - similar to how "locked" encrypted datasets are currently handled?

Should I submit it as issue in redmine, since it seems to me that current implementation makes all encryption functionality effectively useless when it comes to securing data in case of physical theft of whole NAS unit?

 

[dlavigne]

If you decide to create a feature request, post the issue number here.

 

[theflyiingdutchman]

Any update on this? I have the same concern. If cloud creds are encrypted with a local, unencrypted key, that's not good for me.