SOLVED Encryption: Is FreeNAS safe enough?

[Leary]

I'm a bit concerned about the encryption process of FreeNAS, since this is written in the Documentation:

Note
The encryption facility used by FreeNAS® is designed to protect against physical theft of the disks. It is not designed to protect against unauthorized software access. Ensure that only authorized users have access to the administrative GUI and that proper permissions are set on shares if sensitive data is stored on the system.

Since I work with sensitive data which are by law under data protection (mostly research material from uni) I thought about encrypting my NAS and make it as save as possible. However the quoted note does sound a bit as it would be easy to gain access to the encrypted data through software use.

So I'm not really sure if I understand that correctly: Lets say someone would steal my NAS. The encrypted volume would be dismounted through the loss of energy supply. Now the hacker-thief tries to mount the volume and notices that it is encrypted. Will it be possible to gain access to the files using modern hacking methods or is it encrypted strongly enough?
I couldnt find any description which kind of AES encryption is uesd. Modern services like whatsapp use AES256, is FreeNAS using that also? Or would it be smarter to not encrypt the files through FreeNAS but create encrypted file container for the sensitive data with programs like veracrypt?

 

[Arwen]

Yes, whence the NAS is powered down, (gracefully or not), in order to mount an encrypted
Zpool after power on, you / they would require the encryption credentials.

The warning you have quoted simply reminds people that encrypted data on disk does not
help if someone has network or console access to the NAS after the Zpool is mounted with
it's credentials.

Last I don't know what type of encryption is used with FreeNAS 9.x. But checking around,
it does seem to support AES;

https://en.wikipedia.org/wiki/Geli_(software)

 

[Leary]

I just googled a bit and it seems to be AES 256, which is enough for me.
Thanks!

 

[zambanini]

if your data is that sensitive, fDE ist not enough.

 

[joeschmuck]

There is a lot to do in order to protect highly sensitive data and it all comes at a cost. First you much securely lock your hardware away but if someone tries to steal the physical media, the FreeNAS encryption will protect it. Second you need data encryption between your server room and all network connectivity. For my work we use RSA VPN Tokens which change a six digit number every 1 minute. So you will need some more hardware to ensure a safe network environment. Third you need your system to be a closed system, no outside access like the internet, external email , etc... It must be isolated, no USB drives of any sort, CD drives, and I think you get the point.

All this may sound like overkill but in a highly classified environment, this is how we do it.

So you need to figure out what your company's data security plan is and go from there. As a NAS, FreeNAS is capable of doing it's part but remember, it's a NAS.

 

[tvsjr]

Speaking as someone who deals with government compliance requirements every day at $DAYJOB, if the data is sensitive enough to have mandatory controls like encryption at rest, there are likely a slew of additional controls as well. I hope you have someone who's well versed in these requirements architecting whatever solution you come up with, and good auditors verifying the controls.

It sounds like you're intending to work with this data off university grounds (perhaps at home)... which is an auditor's nightmare.

 

[joeschmuck]

encryption at rest

Arg, I hate having to encrypt unclassified data but I do, so we are purchasing these new USB external drives which have a keypad built in so we can ensure all data at rest is encrypted. This will replace software encryption. IA requirements and security are a real killer but there is a need for this type of stuff in today's world.

 

[tvsjr]

Arg, I hate having to encrypt unclassified data but I do, so we are purchasing these new USB external drives which have a keypad built in so we can ensure all data at rest is encrypted. This will replace software encryption. IA requirements and security are a real killer but there is a need for this type of stuff in today's world.

Hmm... I bet you're very familiar with 800-171, then. My personal hell :)

 

[maglin]

I would go the Vericript route. Probably slower but you won't lose your key and that data will be encrypted to anyone that gains access to that data without the key.


Sent from my iPhone using Tapatalk

 

[DrKK]

I would go the Vericript route.

Veracrypt.

 

[anodos]

Speaking as someone who deals with government compliance requirements every day at $DAYJOB, if the data is sensitive enough to have mandatory controls like encryption at rest, there are likely a slew of additional controls as well. I hope you have someone who's well versed in these requirements architecting whatever solution you come up with, and good auditors verifying the controls.

It sounds like you're intending to work with this data off university grounds (perhaps at home)... which is an auditor's nightmare.

What? I thought encryption is magic pixie dust that you sprinkle on things to make them secure and checklist-compliant to boot?

 

[SweetAndLow]

What? I thought encryption is magic pixie dust that you sprinkle on things to make them secure and checklist-compliant to boot?

Check box!

Sent from my Nexus 5X using Tapatalk

 

[tvsjr]

What? I thought encryption is magic pixie dust that you sprinkle on things to make them secure and checklist-compliant to boot?

I don't want to talk to you no more, you empty-headed animal food trough wiper! I fart in your general direction! Your mother was a hamster and your father smelt of elderberries! :D

I spent two hours yesterday trying to convince people that full-disk encryption at rest does absolutely nothing when the system is online and facing network-based attacks. I wonder if I can file a worker's comp claim for damage caused by beating my head against the wall...

 

[Mirfster]

Since I work with sensitive data which are by law under data protection (mostly research material from uni)

Nah, just claim that you "Had no intentions of harm" and you can get away with not doing anything...

 

[tvsjr]

Nah, just claim that you "Had no intentions of harm" and you can get away with not doing anything...

Ooh, burn! Ask the training team at Fort Leonard Wood about calling out "insider threats"...