Encryption and Wake On LAN (remotely enter password)

0x0

Cadet
Joined
Aug 21, 2019
Messages
8
I would like to build a NAS based on freeNAS using the ASUS P9DI motherboard a Xeon CPU and some ECC RAM.
I need the data on the NAS to be encrypted securely, but at the same time I need a convenient way to access them.
Since burglaries happen quite often in my district and data often is the target, I want to keep the NAS turned off when I don't need it.

However, when I decide to watch a movie from my NAS and turn it on via Wake On LAN, I don't want to go downstairs to where the NAS is located to enter the decryption password. I would like to decrypt it remotely and ideally I would just run a bash script on my laptop, phone or tablet that simply asks for the password and takes care of the rest. I was wondering if that can be done reliably and securely.

At first I was thinking about simply setting up some sort of Arduino, ESP8266 or Raspberry Pi and program it to expose an API to which I can send commands that then get translated into keyboard input and get sent to the NAS via USB. (Doing that would be trivial for me as I have quite a lot of experience with these sorts of micro controllers.) But I think it wouldn't be very secure unless I would spend a significant amount of time on writing something that can ensure the the device has not been touched. The most obvious attack that I would fear in this case would be someone reprogramming the micro controller and the next one would be someone using a hardware keylogger since both of these attacks would be very trivial and cheap.
Another problem with that idea is that I could only guess when exactly the device can start entering the password. So I would have to add a long delay before entering it which would be annoying because I'd be wasting time unnecessarily.

Then I realized that the motherboard supports some sort of remote management features and now I'm wondering if could use those features to enter the password remotely from a script. The features are called "ASMB7-iKVM" and "ASWM Enterprise" from what I can tell.
I think that would be much more secure as both of the before mentioned attacks would work against that.

Also: Has anyone done something like that before?

Oh before I forget, I don't want to discuss how paranoid I am or how likely it would be that someone would try to steal my data.
 

0x0

Cadet
Joined
Aug 21, 2019
Messages
8
I think so. Ideally the NAS will run 24/7, but the drives will only be unlocked when I need them. Since unlocking works through the webinterface, I should be able to write a bash script that asks for the decryption password and then creates the required http(s) requests using curl in order unlock the drives.
So no shutdowns are required in order to keep my data safe when I don't need it. And as a bonus, access time will be way faster and the drives will live much longer because they're not constantly being turned on and off again.

But I have yet to try if this works the way I imagine it.
 
Top