Encryption - Key ONLY Locking

[Mr. Xirtam]

Hello! I am currently playing around extensively in a virtual environment with FreeNAS in order to completely familiarize myself before migrating over to it (Currently using a software raid5 on Linux). I am considering using encryption and I am looking over the documentation in this matter. It appears there are a few different ways to approach this, currently, you can use a passphrase or a key, or both for a two factor authentication. The problem I am running into is how the key can be removed from the local system to enable that two factor method, or even just authenticating with key only, if I wanted. I see the recovery key creation and removal buttons, but the primary key, only re-key and download. Nothing to remove the key from the local system. Does this have to be done somewhere else that I am not familiar with, or through the command line?

 

[Dice]

Have you consulted the manual at 8.1.1.1 ?

 

[Mr. Xirtam]

Have you consulted the manual at 8.1.1.1 ?

Yes I have, as well as 8.1.8.1, where it goes more in detail of the possibilities. It is in this section where I'm wondering how it is possible to do the key only option:

Code:

Key stored locally, no passphrase: the encrypted volume is decrypted and accessible when the system running. Protects “data at rest” only.
Key stored locally, with passphrase: the encrypted volume is not accessible until the passphrase is entered by the FreeNAS® administrator.
Key not stored locally: the encrypted volume is not accessible until the FreeNAS® administrator provides the key. If a passphrase is set on the key, it must also be entered before the encrypted volume can be accessed (two factor authentication).

No where in the preceeding documentation, do I see it mention how to remove the local key in order to accomplish it.

 

[Mr. Xirtam]

I am still trying to figure this out. I have an update. Since the key file is stored in /data/geli, I tried downloading the key file to my system first, then via shell, I deleted the key file in that folder for the volume. I still do not have a passphrase set, so I cannot lock the volume via the interface. I rebooted the server, and upon reload, the volume is still locked. BUT when you highlight it, and choose unlock volume, it doesn't present you with the standard unlock screen of putting in the passphrase and/or attaching the key file, but instead presents you with a simple dialog asking if you want to unlock the volume with a Yes or Cancel selection. If you press Yes, it just tries to do it, but then shows an error dialog saying the unlock failed. So simply deleting the key file manually will remove the ability to even access the volume, even though you have the key file. So I am still looking for the correct way to be able to lock the volume with just the key file vs a passphrase.

 

[Mr. Xirtam]

So at this point, with the lack of responses, not very many people, have a need to utilize this and therefore have not noticed the contradiction between the ability to do it and the documentation. So is it safe to say that this should be requested as a feature, or reported as a bug?

 

[Iyanga]

I guess you could debate what "until the FreeNAS® administrator provides the key" encompasses.

So at this point, with the lack of responses, not very many people, have a need to utilize this

What is your attack vector? (This is a genuine question.)

Someone gaining root access to the NAS with a locked volume with a passphrase set will not be able to decode the data with the information present on the NAS, as the passphrase is missing and the encrypted master key with which the files are encrypted is not accessible.

 

[Mr. Xirtam]

I guess you could debate what "until the FreeNAS® administrator provides the key" encompasses.



What is your attack vector? (This is a genuine question.)

Someone gaining root access to the NAS with a locked volume with a passphrase set will not be able to decode the data with the information present on the NAS, as the passphrase is missing and the encrypted master key with which the files are encrypted is not accessible.

I guess I was more so looking for the flexibility to use a key file only lock mechanism versus passphrase. But after thinking about this more and more over the time I posted the question, for my needs, I will use encryption strictly for the ease of disposing hard drives without the need to wipe them, versus needing to protect the data that is on it from being compromised. I use long, complex, and unique enough passwords to protect against unauthorized access, as well as a robust firewall solution that the server will sit behind that I'm not worried about that avenue.

 

[houruomu]

I guess I was more so looking for the flexibility to use a key file only lock mechanism versus passphrase. But after thinking about this more and more over the time I posted the question, for my needs, I will use encryption strictly for the ease of disposing hard drives without the need to wipe them, versus needing to protect the data that is on it from being compromised. I use long, complex, and unique enough passwords to protect against unauthorized access, as well as a robust firewall solution that the server will sit behind that I'm not worried about that avenue.

There are actually very practical attack vectors and thus I am also calling for this feature. Now let me give 2 attack scenarios where a key file may help:
1. Imagine that your NAS is hosted at a physical location where many of your friends could have access to and it is almost never restarted (e.g. in the computer lab). You accidentally used a passphrase which is compromised by some over-the-shoulder attack which you are not aware of / you happen to use a passphrase which could be guessed for some reason. Using a key stored on some thumb drive, which is put at home and brought to school only in the case of restart, will prevent leaking of data. (similar to why banks are using 2FA auth)

2. you happen to have some data storing in the NAS in your room, which your mom does not like. Now, your mom came to your room and shot: "give me the passphrase! let me see your disk". Your refusal to her request will apparently cause trouble. However, if you say "I need a key file to show you the data, but the thumb drive storing that file is left in my lab, and let me fetch it for you by Monday.". It gives you time to think about how to deal with the problem without causing a breaking relationship with your mother.

---------------------------------------------------------------------
Great, I found a work around and it has been working for me so far.
1. take a usb drive and insert to your freenas as the "key drive", format and partition it correctly (w/o encryption)
2. setup a passphrase for your keys
3. copy the entire folder of /data/geli into the key drive
4. remove the /data/geli folder
5. setup automount of the drive at /data/geli
6. remove the key drive
7. whenever rebooting is needed, insert the key drive and enter passphrase, and the key drive can be removed thereafter

For newly setup system, only 5-7 is needed

Without the key drive, it is impossible to unlock the encrypted disks, so back up a few copies of the key drive