Encryption at rest? LUKS?

[Jip-Hop]

I'm evaluating TrueNAS SCALE and I'm already blown away! The UI looks so good, Linux, Docker containers... Setting up Portainer is easy too. Robust storage. Basically all I need in one package. Except maybe for my desire to encrypt the system at rest...

During pool creation I can check "Encryption" but this will store the keys "in the system database and can be exported at any time from the pool options". This way my data won't be protected if the whole NAS is stolen. So instead I tried to configure it with a passphrase, which I will remember and not store on the NAS. But I'm presented with this error: "[EINVAL] id: data contains the system dataset. Please move the system dataset to a different pool before changing key_format."

So I move the system dataset to the boot-pool via System Settings -> Misc -> System Dataset. Now I'm allowed to enable passphrase encryption on my data pool. But since the boot pool is unencrypted I'm worried what (sensitive) data it may contain. What is stored in the system dataset? Anything sensitive it may leak, like Docker container config?

So my question: What are my options to enable encryption for the whole system? Would it be possible to setup the boot-pool with LUKS full disk encryption? Possibly even remote unlock at boot with dracut-sshd. That way I can also store the encryption keys there for my data pool and wouldn't need to resort to passphrase encryption for those.

 

[ornias]

Setting up Portainer is easy too. Robust storage. Basically all I need in one package. Except maybe for my desire to encrypt the system at rest...

Do be aware:
While it's possible changing anything (including containers,pods etc) using portainer is technically not supported.

During pool creation I can check "Encryption" but this will store the keys "in the system database and can be exported at any time from the pool options". This way my data won't be protected if the whole NAS is stolen.

Thats correct, the default encryption is mostly meant to make it safer to repurpose disks.

But I'm presented with this error: "[EINVAL] id: data contains the system dataset. Please move the system dataset to a different pool before changing key_format."

Yes, because this dataset gets loaded before the passphrase prompt (as it also stores things like logs and the basic k8s settings)

So I move the system dataset to the boot-pool via System Settings -> Misc -> System Dataset. Now I'm allowed to enable passphrase encryption on my data pool. But since the boot pool is unencrypted I'm worried what (sensitive) data it may contain. What is stored in the system dataset? Anything sensitive it may leak, like Docker container config?

There are two important "special" datasets/pools:
- System Dataset
- App Dataset

The App dataset (configurable in the Apps interface) would contain the docker data and configuration afaik.
The system dataset might contain logs and credentials yes.

TLDR:
TrueNAS machines are NOT protected against theft of the physical machine.

So my question: What are my options to enable encryption for the whole system?

None that are officially supported as far as I'm aware.

 

[Jip-Hop]

Thanks for replying :)

I replied to you here regarding Portainer.

I was afraid there wouldn't be an officially supported way to protect against theft of the physical machine...

Would love to see that feature become officially supported! Until then, has anyone tried it? Any suggestions for a DIY solution?

 

[ornias]

Would love to see that feature become officially supported! Until then, has anyone tried it? Any suggestions for a DIY solution?

I wouldn't say it's impossible but it would be very hard, complex and prone to failure...
But if anyone did it, please do share... Interesting to learn how it could be done!

 

[Arwen]

Another, un-supported option, would be to use SED, (Self Encrypting Drives), and have them managed by the BIOS.
So by the time the OS is booted, all the drives would be enabled for read.

Any power off, would cause the drives to "forget" the password / passphrase. So next power on, they would require interaction to allow any data to be read. Preventing any theft of hardware from accessing the information on the drives.

Of course, as has been mentioned, if the boot drive is a USB device, or is not a SED then some data could potentially leak. But, without encrypting the OS drive, it can open up possibilities to have the bootloader or OS install the password into the data SEDs.

 

[Jip-Hop]

Thanks! I didn't know SED. Will investigate. But sounds like this hardware encryption will be transparent to the the TrueNAS SCALE installation. So less likely to cause any issues within TrueNAS itself?

I suppose I could boot from a USB stick into a pre-boot environment to unlock the SED (or multiple SEDs) and then chain-load TrueNAS. In case the BIOS doesn't support unlocking a SED at boot. That's my initial understanding. Now I just need a SED to try it xD

 

[Constantin]

Key to me is keeping out the incompetent thieves, ie the drug addicts looking for a quick fence. Determined competent folk will always get in once they have access to the machine.

Might take a keylogger on your laptop, etc but I make myself no illusions. Even the more security-conscious OEMs keep finding issues with their hardware or software. See the latest revelations re the San Bernardino iPhone, the trusted enclave in Mac laptops, etc.

 

[Jip-Hop]

Key to me is keeping out the incompetent thieves

How do you recommend doing this? Do you think encrypting the data pool with a passphrase would be enough (so no key-based encryption, stored on the boot-pool)?

Using a Self Encrypting Drive for the boot-pool sounds quite nice. Then I don't need to move the system dataset and can encrypt the data pool with keys (stored on the boot-pool) and auto unlock them at boot. I'd only have to unlock the SED during boot :) However, while reading about SEDs I found out encryption on (some) SEDs can be bypassed. So now I'm less enthusiastic to try them out xD

Could anyone elaborate on what data I'll be leaving 'out in the open' on an unencrypted boot-pool with system dataset?

 

[Constantin]

I'd suggest

• Using the ZFS crypto which then requires a pool unlock after boot. That covers the data at rest to some extent.
• Turning off root access from the serial console w/o a password.
• Isolating the IPMI interface with a VLAN or keeping it disconnected altogether.
• Ensuring the IPMI interface doesn't then become available on the other 1GbE NICs.
• Separately encrypting anything you really care about. ZFS crypto is for convenience, an unlocked pool is much easier to attack than a closed container that is only unlocked by a limited number of clients on demand and whose contents are only visible to said clients, not the TrueNAS in general.
• the benefit of compartmentalizing sensitive data with further encryption has be held against the inconvenience that said isolation entails plus the possibility that if the compartment is corrupted just right, the whole compartment might be spoiled.

 

[Jip-Hop]

Thanks to the tip from @Arwen I decided to go with a SED for the OS disk. I made my own PBA image so I can conveniently unlock the SED via HTTPS and continue to boot without a keyboard (and monitor) attached.