Drive encryption without passphrase, is it ok?

Status
Not open for further replies.

f4242

Explorer
Joined
Mar 16, 2017
Messages
97
Hello,

I would like to protect the data stored on the drives in the case I have to RMA them. I'm not trying to protect from the thief of the NAS. So I'm thinking about using drive encryption without passphrase (so, the drive will mount automatically at boot).

So I read the doc. I understand the importance to keep a copy of the encryption key and of the recovery key in a safe location. Everything seem good until I read the section about the encrypted drive replacement.

The documentation say to make sure a passphrase has been set. Why? Is it important only for the replacement procedure (so I could just set a temporary passphrase before the drive replacement and removing it after) or this is a general recommendation against using drive encryption without passphrase?

Thank you!
 

wblock

Documentation Engineer
Joined
Nov 14, 2014
Messages
1,506
A key is a bunch of semi-random characters which pretty much has to be kept as a file. Although I guess you could print it out. A passphrase can be something rememberable.
 

f4242

Explorer
Joined
Mar 16, 2017
Messages
97
Hello,

A key is a bunch of semi-random characters which pretty much has to be kept as a file. Although I guess you could print it out. A passphrase can be something rememberable.
Yes I understand the difference between a key and a passphrase. The key would be stored at a safe location (like in a keepass database). No passphrase would be used because I want the volume to mount automatically after a reboot.

We just revamped that section yesterday (the commit is here: https://github.com/freenas/freenas-docs/commit/709e651d33aecaadeaf3160e632bedf8e9650cb1). A passphrase is optional, but useful if you don't have the key.
The section "Replacing an Encrypted Drive" still warn the user about using a passphrase before replacing a drive. If my understanding is good, maybe it should say something like "Make sure that a passphrase has been set (...) or you have a backup of the current encryption key before attempting to replace the failed drive".

So if my understanding is right, a short summary of encrypted drive replacement without passphrase would be:
  • Download a backup of the encryption key
  • Make the disk to remove offline with the GUI
  • Swap physically the hard drives
  • Replace the disk on the pool
  • Rekey the volume
  • Add new recovery key
  • Download the new encryption key as the new backup

Thank you.
 

SweetAndLow

Sweet'NASty
Joined
Nov 6, 2013
Messages
6,421
Hello,


Yes I understand the difference between a key and a passphrase. The key would be stored at a safe location (like in a keepass database). No passphrase would be used because I want the volume to mount automatically after a reboot.


The section "Replacing an Encrypted Drive" still warn the user about using a passphrase before replacing a drive. If my understanding is good, maybe it should say something like "Make sure that a passphrase has been set (...) or you have a backup of the current encryption key before attempting to replace the failed drive".

So if my understanding is right, a short summary of encrypted drive replacement without passphrase would be:
  • Download a backup of the encryption key
  • Make the disk to remove offline with the GUI
  • Swap physically the hard drives
  • Replace the disk on the pool
  • Rekey the volume
  • Add new recovery key
  • Download the new encryption key as the new backup

Thank you.
Seems correct to me. Did you test it? Best to actually try it for practice and reassurance that it works.

Sent from my Nexus 5X using Tapatalk
 

f4242

Explorer
Joined
Mar 16, 2017
Messages
97
Yes I tested this method with a test VM and this seem to work fine.
 

jp83

Dabbler
Joined
Mar 31, 2017
Messages
23
I have the same interest in encryption and also don't have a passphrase. The documentation still spells out the steps with a passphrase, but I'm trying to clarify what's required otherwise. In particular when expanding (adding a mirror) do I need to rekey? I was thinking not, because it should just use the existing one which I have, but would like to confirm....

https://forums.freenas.org/index.ph...ase-less-encrypted-pool-when-expanding.53566/

But then, if not, is re-keying really required for replacing disks? I was thinking it was more associated with the passphrase, and otherwise the manual suggests only re-key if there's concern it's been compromised. And what benefits does an extra recovery key have, again without a passphrase, if I'm saving the main one?
 

Chris Moore

Hall of Famer
Joined
May 2, 2015
Messages
10,080
I will just say this, and I won't discuss it, the pool is not as secure without a passphrase. The key plus the passphrase give you two factor authentication. Something you have (the key) and something you know (the phrase) and to use just one kind of defeats the purpose.
 
Status
Not open for further replies.
Top