Encryption, SED vs FreeNAS built in, user intervention at reboots and updates?

Status
Not open for further replies.
M

Morty NO

Cadet
Joined
Jul 8, 2016
Messages
5
Dear all,

Sorry if this question is a bit n00b'ish. I'm new to FreeNAS. I did read the FreeNAS docs about managing encrypted volumens, but I didn't quite wrap my head around it.

I would like to build a NAS, and I need encryption for data at rest, as the NAS contains customer data. It's a small NAS with about 2TB capacity for a small single-person home office.

I know my way around Trusted Platform Modules (TPMs) and self-encrypting drives (SED). Thus I could build a NAS which handles my encryption needs via a TPM & SEDs. This would be OS-agnostic, i.e. FreeNAS wouldn't need to do anything special.

FreeNAS has encryption built in, which I could use instead. First off, I assume that after every reboot or power cycling, the passphrase must be entered to mount the encrypted volume, to guard against theft of the entire unit. Is that assumption correct?

Next, is there a general recommendation about how to secure data at rest with FreeNAS, i.e. which solution is most commonly used and recommended?

Thank you very much! :)
 
BigDave

BigDave

FreeNAS Enthusiast
Joined
Oct 6, 2013
Messages
2,479
anodos

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,554
Is the encryption a legal requirement? A client's requirement? Something that you want because it's cool and/or mitigates $threat?

In the latter case. I recommend reviewing what sort of threat model you're considering where encryption of data at rest is necessary. For reference, my threat model for stuff at home is as follows:

Threat Models.PNG


Encrypting data at rest safely can really suck up a lot of time. and if you screw up you jeopardize your client's data. This is not to say that all you need are strong passwords and you're good. Protecting data at rest is something like CSC 13 in the SANS Top 20, but it doesn't make a ton of sense in a small single-person home office.

http://scholar.harvard.edu/files/mickens/files/thisworldofours.pdf
 
Last edited:
F

fta

Contributor
Joined
Apr 6, 2015
Messages
148
I have no idea why people are so afraid of the geli encryption that freenas uses. It works fine and has virtually no overhead on modern hardware. It only has the minor inconvenience of having to put in the passphrase to mount the pool every time you boot. DrKK considers encrypting an entire device foolish. I consider DrKK's approach foolish. Take your pick.
 
  • Like
Reactions: Xan
C

cyberjock

Inactive Account
Joined
Mar 25, 2012
Messages
19,526
fta said:
I have no idea why people are so afraid of the geli encryption that freenas uses. It works fine and has virtually no overhead on modern hardware. It only has the minor inconvenience of having to put in the passphrase to mount the pool every time you boot. DrKK considers encrypting an entire device foolish. I consider DrKK's approach foolish. Take your pick.
Click to expand...

Yeah, because you haven't hit the encryption bugs. I've personally seen 5+ users lose all of their data because of encryption bugs in the last year alone. I personally saw an encryption user go offline over the 4th of July weekend because of encryption bugs.

So DrKK's comments are totally with merit and should be strongly considered. Not many encrypt, and those that do end up doing so at their own peril since its not well-used-and-abused code.
 
depasseg

depasseg

FreeNAS Replicant
Joined
Sep 16, 2014
Messages
2,874
fta said:
I have no idea why people are so afraid of the geli encryption that freenas uses. It works fine and has virtually no overhead on modern hardware. It only has the minor inconvenience of having to put in the passphrase to mount the pool every time you boot. DrKK considers encrypting an entire device foolish. I consider DrKK's approach foolish. Take your pick.
Click to expand...
People aren't afraid of the day to day use of encryption, it seems like disk failure/replacement is the big issue. Freenas makes it easy (unfortunately) for a user to accidentally lose their encrypted pool.

Read this from @jkh: https://forums.freenas.org/index.php?threads/10-x-encryption.38979/#post-238723
 
DrKK

DrKK

FreeNAS Generalissimo
Joined
Oct 15, 2013
Messages
3,630
Just for the record, my point isn't that geli encryption is bad, or that it doesn't work, or what not. I am just making a business calculus here---I think it brings almost zero realistic protection to the table, and it very, very clearly brings some risk (primarily due to endemic user incompetence, inexperience, or laziness). So I am not fan because the calculus shows negative expected value. In my view.

But as the gentlemen says, opinions vary. Mine is one voice among many, and the end user will have to ascribe whatever weight he deems appropriate to it.
 
M

Morty NO

Cadet
Joined
Jul 8, 2016
Messages
5
Robert Smith said:
FreeNAS supports nether SED or TPM. If this is the way you want to go you will have to use something other than FreeNAS.
Click to expand...

Thank you for your answer. :) I have just a quick clarification, in case someone else finds this thread via a Google Search later on.

I believe you are correct that FreeNAS cannot manage TPM settings and SED keys for you, as described in the links you provided.

But I do think it's possible to install FreeNAS on a PC with a TPM, and SATA SEDs, and "ATA Security" set and managed via a BIOS boot password. In the latter scenario, the user has to enter a BIOS password on every boot, and once this is done the operating system (FreeNAS) just sees regular SATA harddisk drives, without knowing that they're actually encrypted at a lower ("hardware") level. I'm no FreeNAS expert, but this works with every other modern OS that I know of, so I do assume it works with FreeNAS too.
 
Robert Smith

Robert Smith

Patron
Joined
May 4, 2014
Messages
270
Morty NO said:
Thank you for your answer. :) I have just a quick clarification, in case someone else finds this thread via a Google Search later on.

I believe you are correct that FreeNAS cannot manage TPM settings and SED keys for you, as described in the links you provided.

But I do think it's possible to install FreeNAS on a PC with a TPM, and SATA SEDs, and "ATA Security" set and managed via a BIOS boot password. In the latter scenario, the user has to enter a BIOS password on every boot, and once this is done the operating system (FreeNAS) just sees regular SATA harddisk drives, without knowing that they're actually encrypted at a lower ("hardware") level. I'm no FreeNAS expert, but this works with every other modern OS that I know of, so I do assume it works with FreeNAS too.
Click to expand...

ATA Securuty in practice has been geared towards single disk laptops, and not developed much in recent years.

Instead, Opal and its enterprise and vendor implementations (TCG-E, eDrive) are gaining traction, which tie in more on the management software side.

Motherboard support for these new frameworks, if any, will likely be UEFI based.

Some host bus adapters support some self-encrypting drives in integrated mode; but this does no good for FreeNAS, as FreeNAS needs direct access to disks.
 
Last edited:
F

fta

Contributor
Joined
Apr 6, 2015
Messages
148
cyberjock said:
Yeah, because you haven't hit the encryption bugs. I've personally seen 5+ users lose all of their data because of encryption bugs in the last year alone. I personally saw an encryption user go offline over the 4th of July weekend because of encryption bugs.
Click to expand...

Prove it.

Now that I've challenged the status quo, let the condescension begin!
 
C

cyberjock

Inactive Account
Joined
Mar 25, 2012
Messages
19,526
fta said:
Prove it.

Now that I've challenged the status quo, let the condescension begin!
Click to expand...

I don't have to prove anything to you. How the hell would you even *want* me to prove it, assuming I could.
 
JoshDW19

JoshDW19

Community Hall of Fame
Joined
May 16, 2016
Messages
1,077
We've used GELI encryption in PC-BSD with pretty great success. I can't argue any of the more technical points with you on why it's failed for some customers cyberjock, but I can tell you we have PC-BSD systems in production that have used it for years with no problems. One way you can show proof Cyberjock is by showing tickets that demonstrate the behavior you are speaking about. Let's make sure these tickets that show GELI encryption is causing a lot of bugs / problems are pointed to the proper devs and I'd encourage you to loop in Kris Moore so we can get these knocked out quick. It's not a bad thing for someone to ask for proof in my opinion if someone is offering a technical opinion on a subject. Ad hominem attacks / flaming someone for disagreeing is a logical fallacy. Let's keep the discussion constructive and work on improving FreeNAS if this is indeed a substantive issue everyone :).
 
C

cyberjock

Inactive Account
Joined
Mar 25, 2012
Messages
19,526
The problem isn't that geli is broken or anything. The problem is that the FreeNAS middleware isn't well maintained with relation to encryption.

The tickets that I have are internal iXsystems tickets. So as I said, I have nothing to prove and have no intention of making internal customer data public.

Edit: And to be frank, if you're going to need me to "prove myself" with something as silly as encryption, you should simply add me to your "ignore" list so you never see my posts, because clearly you should simply ignore *everything* I say. If you're going to decide I'm an idiot or say things that are totally baseless, you can't be discriminatory about what I say. Either I'm an idiot or I'm not.
 
Last edited:
Status
Not open for further replies.

Similar threads

L
  • Locked
SOLVED Encryption: Is FreeNAS safe enough?
Replies
14
Views
10K
tvsjr
T
Ben1010101
  • Locked
Encryption Checklist?
Replies
7
Views
4K
devnullius
devnullius
D
  • Locked
Full-Disk Encryption in FreeNAS 11
Replies
2
Views
3K
Arwen
Arwen
H
Secure Storage of Cloud Sync Encryption Password and Credentials
Replies
0
Views
1K
Hinterwaeldler
H
F
  • Locked
Recommendation for geli based encryption and caveats
Replies
14
Views
4K
Ericloewe
Ericloewe
Top