Encryption Checklist?

[Ben1010101]

Hi everyone,

I've just assembled my first NAS server. The hardware specifications are as follows:

• HP Proliant ML10 V2
  • 16GB (4 x 4GB) DDR3 1600MHz (@ 1333MHz) ECC
  • Intel Pentium G3240
• Seagate ST1000DM003
• Toshiba DT01ACA300 (Quantity: 2)
• SanDisk SDCZ43-016G (Quantity: 2)

Thus far, I've completed the hardware burn-in testing (using a combination of BadBlocks, MemTest86, and S.M.A.R.T long) and the FreeNAS installation (mirrored across both of the SanDisk SDCZ43-016G) without issue, and have moved onto the FreeNAS configuration. Many of the capabilities of FreeNAS appear to be superfluous for my needs (which will consist of a single unencrypted striped volume, a single encrypted mirrored volume, with a maximum of two shares accessible by two users), and to be honest, it's slightly overwhelming. Most of the configuration options don't appear to be of critical importance (or can be determined at a later date), with the exception of disk encryption.

After reading various topics regarding disk encryption, there appears to be some confusion amongst FreeNAS users on the relationship between the encryption key, passphrase, and recovery key. In addition to this, the official documentation seems to be slightly ambiguous (but perhaps this is just due to my inexperience in this area). Ideally, I'd like to have a clear understanding of disk encryption within FreeNAS before copying across irreplaceable data. Are the following assumptions correct?

Encryption Key (applicable options include "Download Key" and "Encryption Re-Key"): the cipher which is used to encrypt/decrypt the data contained within the disk/volume. If the encryption key is unavailable (i.e. the FreeNAS system disk has been destroyed and no manual backup was previously performed), then the volume cannot be mounted/recovered, regardless if the passphrase is correct or the recovery key is available.

Passphrase (applicable options include "Create Passphrase" and "Change Passphrase"): optional, but used as an additional layer of security to encrypt/decrypt the encryption key (above). If the passphrase is set, the combination of the encryption key and the passphrase (or the recovery key) is required to mount/recover the volume. If the passphrase isn't set, only the encryption key is required to mount/recover the volume. Hence, setting the passphrase prevents data recovery when the physical hardware is taken off-site (i.e. returned to the manufacturer or stolen).

Recovery Key (applicable options include "Add Recovery Key" and "Remove Recovery Key"): optional, but essentially replaces the passphrase in situations where the passphrase has been forgotten.

Hoping that the above assumptions are correct, I did the following:

1. Created an encrypted volume.
2. Removed the recovery key via the "Remove Recovery Key" option (potentially redundant if only one recovery key can be active at any given time).
3. Set the passphrase via the "Create Passphrase" option.
4. Generated a new recovery key via the "Add Recovery Key" option.
5. Downloaded the recovery key to an encrypted local computer, which syncs with a cloud service.
6. Downloaded the encryption key to an encrypted local computer via the "Download Key" option, which syncs with a cloud service.

So, I have backed up the encryption key and the recovery key, and will hopefully remember the passphrase if I'm using it regularly. I've rebooted FreeNAS multiple times, and locked/unlocked the encrypted volume using the passphrase and recovery key. The only thing I don't know how to test is the encryption key (I'm guessing this would require reimporting the volume). Is there anything I've overlooked?

I apologise for the long-winded post, but would appreciate any feedback. Thank you!

 

[joeschmuck]

I'm interested in the answers as well.

One test you could do is to take one of the encrypted drives and pull it out and then wipe it, next use it to simulate a drive replacement event. This should give you a good feeling on how to replace a failing/failed drive. I would also write down a step by step procedure on how this is done and print it out and place it inside the computer so when it's time to replace a failed encrypted drive, you know what needs to be done without guessing or doing more research to refresh your memory.

 

[Arwen]

Sounds like you have a good plan. A couple of notes:

• This type of encryption is mostly useful for theft of the disks and or server. Or returning disk(s) for replacement where you can't wipe them first.
• This type of encryption will NOT protect the data during normal operation. Meaning if a cracker breaks into your server, the encryption is meaningless, (unless they reboot).

 

[Ben1010101]

I appreciate the replies, thank you.

I've decided to look for an alternative to FreeNAS for now, and will revisit my decision once version 10 is production ready. Due to my own ignorance (by trusting third-party recommendations without doing my own research), I didn't realise that the installation and configuration of FreeNAS was such an involved and time consuming process. FreeNAS is seemingly a feature rich solution, but I'm a home user with simple requirements. The ambiguous documentation and user interface (with regards to disk encryption) also made me quite hesitant to commit at this stage.

 

[m0nkey_]

There is very few reasons to use encryption on FreeNAS as it does nothing to protect a running server. If your FreeNAS server is running 24/7, encryption is useless. It only protects against theft of the physical drives and not the data.

Unless you have a legitimate requirement, i.e. PCI compliance, encryption in my opinion is not worth the hassle.

 

[Ben1010101]

There is very few reasons to use encryption on FreeNAS as it does nothing to protect a running server. If your FreeNAS server is running 24/7, encryption is useless. It only protects against theft of the physical drives and not the data.

Theft is what I am primarily trying to protect against. Obviously, if someone manages to penetrate the local network, then all bets are off. Don't get me wrong, I'm impressed with the functionality of FreeNAS (although, once again, the documentation could be more explicit), but using FreeNAS for my requirements is like using a chainsaw to open a bag of chips, it's just complete overkill. Hopefully, I'll stumble upon a simpler solution.

 

[m0nkey_]

Theft is what I am primarily trying to protect against.

Let's be realistic here. The casual thief who steals your hard drives are unlikely going to know what ZFS is, let alone try to access the data. The drive will be wiped an reformatted before you know it.

Don't get me wrong, I'm impressed with the functionality of FreeNAS (although, once again, the documentation could be more explicit)

You're welcome to contribute suggestions via the bug tracker should you want improvements made. However, that said there are plenty of tutorials, resources and how-to's on this forum alone. FreeNAS is an open source project and its documentation is only as good as its community.

but using FreeNAS for my requirements is like using a chainsaw to open a bag of chips, it's just complete overkill.

FreeNAS is feature rich, it doesn't try to hide anything from the user. There are other NAS operating systems out there, such as OpenMediaVault, NAS4Free, UnRAID, FlexRAID, Openfiler, etc. they all have different feature sets, all of which are more or less the same level of complication but presented differently.

I believe the best option for you would be a Synology device. Synology will hide a lot of the more advanced features from the user, also has encryption if you need it.

 

[devnullius]

Question if I may? If I enable Encryption in the GUI when I create the pool, I'd expect a password dialogue and or 'backup encryption key'. I'm not given either. Is that to be expected? Using Edge for this.

Update: ah, never mind. If I select (in the GUI) the primary Pool, the options are at the bottom. I guess I should do that manually before encryption really is started?