Encryption of data at rest

[i716]

I would like to ask some questions.

1) What is the point of disk encryption without a password? In case the storage server gets stolen as a whole, it just needs to be turned on to reveal all data to the thief. I know that there is an option to add a passphrase to the encryption of a pool. Unfortunately that is impossible for the pool on which the system dataset resides. Normally if you are using FDE on Linux (luks) or FBSD (geli) a password is required at boot time - this is the way it should behave as the data must be encrypted and stay encrypted after shutdown of the system. Why is this not possible on FreeNAS?

2) So my only option would be to create a seperate pool for the system dataset (probably the boot device) and set a passphrase for each pool to get at least some kind of security. So I would like to know what kind of data is being stored on the boot device (the system dataset). I read somewhere that such data includes log files and information related to SMB shares - which is ridiculous in terms of security.

Could please somebody shed some light on those issues?

 

[ixion]

I have similar questions, especially #2. My use case is that I want to protect from physical theft.

I'm about to build a new storage pool and was planning to encrypt it, but I don't want to have to move the System Dataset to the boot pool because I use a pair of USB sticks to boot. I guess I could purchase a couple SSDs for the boot pool.

 

[Heracles]

Hey guys,

I would not do anything like that... Pool encryption is a very high risk process for a very low gain. Should your data need to be encrypted at rest, it is better to do it in any other way.

Here, I use Nextcloud. Nextcloud and its database are both running in my ESXi server. Nextcloud is the one encrypting everything before saving it in FreeNAS. Keys are saved in the database. That way, the cryptograms and keys are never saved together. FreeNAS, the Nextcloud frontend and the database can all boot up unassisted.

For my backups, I dump the database with mysqldump and encrypt the file with OpenSSL. Only once encrypted it is transferred to the FreeNAS server. That way, for a complete restore, I need to decrypt that SQL Dump with a passphrase before anything can be handled.

You can create a zvol that will be encrypted by LUKS, use any other file-level encryption tool, save a file created by Veracrypt in any regular dataset... There a many options that are million time safer that pool level encryption and most of them will also offer you a better protection.

 

[sretalla]

What is the point of disk encryption without a password?

The theory goes that if someone were to steal disks, but not the server... or if you dispose of disks individually to a third party, the data on those disks (particularly if they were mirror-members) would be protected.

Why is this not possible on FreeNAS?

It's coming with the new version 12 as part of the delivery of Pool Encryption from Open ZFS 2.

Until then, you have GELI with a password, inelegant as that is... or app-level encryption of data as suggested by @Heracles

 

[i716]

The theory goes that if someone were to steal disks, but not the server... or if you dispose of disks individually to a third party, the data on those disks (particularly if they were mirror-members) would be protected.


It's coming with the new version 12 as part of the delivery of Pool Encryption from Open ZFS 2.

Until then, you have GELI with a password, inelegant as that is... or app-level encryption of data as suggested by @Heracles

If I could use GELI that would be fine. Unfortunately, that's not the case. What I need and want is a setup, that keeps all data encrypted while the system is powered down. Like Luks/Geli on a normal Linux/BSD system.