Encryption alternatives

[Helios]

I've read about the issues related to encrypting an entire pool in the event of a disk swap. Since I do need encryption, my idea was to run a small Debian VM with LUKS, but the issues I've had with the VirtualBox jail are making me reconsider.
The VirtualBox version included in the template (4.3.?) doesn't virtualize AES-NI; not a huge issue, but I got an i3 instead of a Celeron because it has AES-NI, so I'm not exactly getting my money's worth. Also, today after copying for ~12 hours, VirtualBox crashed so hard it brought down the entire system. From what I've read, it's most likely either an issue with VIMAGE or I/O caching.

So, what are my alternatives? All I want is to have an encrypted container I can mount as a normal directory and share with CIFS, NFS, etc.
What do you make of this? https://forums.freebsd.org/threads/20382/


PS: Sorry if this isn't the right section for this question. It's sort of storage-related, I think.

 

[Dice]

https://veracrypt.codeplex.com/

 

[Helios]

Already looked into it. VeraCrypt doesn't support BSD, so it doesn't doesn't work for me. I need the machine that processes the file system and the machine that hosts the storage to be the same.

 

[Robert Smith]

Already looked into it. VeraCrypt doesn't support BSD, so it doesn't doesn't work for me. I need the machine that processes the file system and the machine that hosts the storage to be the same.

So, basically, if somebody steals your FreeNAS system they will be able to read the encrypted data no problem. Right?

It seems like saving encrypted containers or blocks on FreeNAS, but decrypting them on the computers that actually work with the data, would be a more useful scenario.

 

[Helios]

My computer is in the room next to the file server. Am I getting any real security by protecting against the case where the robbers steal one instead of both?
Let's pretend that if someone breaks into my house, the fact that they might try to read my decrypted data is the least of my worries, but that somehow I still consider it useful to encrypt that data.

 

[anodos]

My computer is in the room next to the file server. Am I getting any real security by protecting against the case where the robbers steal one instead of both?
Let's pretend that if someone breaks into my house, the fact that they might try to read my decrypted data is the least of my worries, but that somehow I still consider it useful to encrypt that data.

In that case I recommend ROT13.

 

[Helios]

Note to others: as it is written, the above HOWTO gives a write performance that makes it completely useless. I'm talking about something in the realm of under 10 MiB/s with a six drive pool.

 

[Dice]

It seems like saving encrypted containers or blocks on FreeNAS, but decrypting them on the computers that actually work with the data, would be a more useful scenario.

Agree.

My computer is in the room next to the file server. Am I getting any real security by protecting against the case where the robbers steal one instead of both?
Let's pretend that if someone breaks into my house, the fact that they might try to read my decrypted data is the least of my worries, but that somehow I still consider it useful to encrypt that data.

If your "windows box" runs Veracrypt on particular file containers, which are located shared to the FreeNAS via regular CIFS shares, the data on the FreeNAS would not be useful for anyone hacking the box, or stealing the box, or getting access to that box in any way.
If your windows box is left behind. all is good.l
If your windowsbox is stolen. all is good.
If both are stolen, the intruder would first need to get into the windows box, crack the veracrypt( heh......), not be a complete moron to extract and mount the ZFS pool.

One thing Im not too sure about when using "large file containers" on ZFS is how to consider the interaction with CoW. Without knowing the details on how encryption containers or encrypted volumes via veracrypt works, there is a great suspicion that it may not be feasible to encrypt entire volumes. Rather the utility of such would be to encrypt the most sensitive data, or having gobs of free space.

 

[Helios]

If both are stolen, the intruder would first need to get into the windows box, crack the veracrypt( heh......), not be a complete moron to extract and mount the ZFS pool.

If the desktop is powered, which it almost always is, the volume will be mounted. Therefore the only security measure is the OS login.
If the server does the decryption and it is powered, the only security measure is the OS login.
Thus, no difference.
Can we please move on? I'm not going to do this stupid thing.

One thing Im not too sure about when using "large file containers" on ZFS is how to consider the interaction with CoW.

I'm guessing it will perform exactly the same as the encrypted UFS container from the HOWTO above, since they're both updating small pieces of a huge single file.

 

[Dice]

I'm guessing it will perform exactly the same as the encrypted UFS container from the HOWTO above, since they're both updating small pieces of a huge single file.

Incorrect.

The howto dates 2010, and probably refers to other filesystems than ZFS, that was also in in use at the time. That pretty much invalidates it today.

Here you can read about ZFS CoW and understand my concern above.

 

[Helios]

The HOWTO doesn't explicitly mention any file systems. I'm talking about the performance I saw when I tried it out on my server.
I see no reason why an NTFS file system encapsulated in a VeraCrypt volume stored in a ZFS file system should perform vastly differently from a UFS file system encapsulated in a GELI-filtered ZFS-backed memory disk.