Theft-proof device

[lorchi]

Hello,

I want to set up a NAS that should be theft proof. This means I want to use encrypted disks, and - as long as there are not any alternatives I might not be aware of - entering a passphrase shall be necessary after either:
- case intrusion
- power outage

What is the current support in FreeNAS for these scenarios?
Is the chassis intrusion event supported?
Is it possible to enter a passphrase remotely (WAN)?

Thank you in advance!

 

[Mirfster]

want to set up a NAS that should be theft proof. This means I want to use encrypted disks, and - as long as there are not any alternatives I might not be aware of - entering a passphrase shall be necessary after either:
- case intrusion
- power outage

What is the current support in FreeNAS for these scenarios?

None that I am aware of

Is the chassis intrusion event supported?

None that I am aware of; perhaps check the system BIOS or get yourself a padlock? Some BIOS/BMC/IPMI can/will provide Event Logs for this sort of thing, so perhaps consider some type of Notification?

Is it possible to enter a passphrase remotely (WAN)?

I guess if you configure a "Start" PW in the BIOS, you could then VPN into the Network; connect over BMC/IPMI open a KVM Session and then type in the required PW...

Perhaps if you described what you are trying to accomplish a bit more we could possibly give potential solutions. Either that or simply tell you that you are expecting too much from FreeNAS itself. ;)

 

[lorchi]

Thank you for your reply!

What I want to achieve is that the data be completely useless in case the NAS gets stolen. Some of the data is sensitive. I want to continue to sleep well in case it happens. It's not too likely, but there is some likelihood for robbery here in Berlin where I live, and the box might end up on some black market.
The scenario for the chassis intrusion is, if I think about it, rather out of curiosity, which would be another case in which the key would need to be re-entered - much like a reboot I suppose. It's just some alarm pin in the end that could trigger it.

Second, I am traveling regularly. I want to protect myself from being locked out remotely after a power outage. It's not likely either, but possible (there are some construction works from time to time in the century old building and street). Therefore I would like to know the ways to re-enter the passphrase remotely.

 

[Mirfster]

*** This is just my opinion...

I actually considered using FreeNAS Encryption at one point, but avoid it since I have seen too many problems regarding that on these forums. Now, I am sure another contributor may chime in and say I am crazy, but that is just me.

I would say that if you do have vital/sensitive/FOUO data then consider making a separate folder/dataset that is using a 3rd party Encryption tool AND have it backed up to a secure location in the Cloud. I believe @gpsguy mentioned VeraCrypt so maybe he will chime in about that (I don't have any experience with it).

I am unsure if there is support for Encryption in FreeNAS 10, might be but I don't truly know, so that should be taken into consideration.

Second, I am traveling regularly. I want to protect myself from being locked out remotely after a power outage. It's not likely either, but possible (there are some construction works from time to time in the century old building and street). Therefore I would like to know the ways to re-enter the passphrase remotely.

Yeah, so if your BIOS does support the option to "Power On" after power loss, then it would do that itself. However, if it supports IPMI and you have a VPN Solution in-place (outside of FreeNAS since it will be off anyways) you can easy do like I mentioned by VPN'ing in and connecting to IPMI. From there you can "Power On" the Unit as well as open a KVM Session to enter the PW that you set in the BIOS (if capable) so the unit will proceed to power up. If you are going to that extreme, you should set a BIOS PW too.

What I want to achieve is that the data be completely useless in case the NAS gets stolen. Some of the data is sensitive. I want to continue to sleep well in case it happens. It's not too likely, but there is some likelihood for robbery here in Berlin where I live, and the box might end up on some black market.

TBH, if someone has physical access to your system all bets are off. It is doubtful that they would be after your data (which you still could encrypt as mentioned above), but would simply wipe your system for sale/usage anyways. Also, they could simply disconnect your network cables and you are still SOL if trying to access it remotely.

If this is a major issue/concern then perhaps consider "Co-Locating" your Server with a reputable Hosting Company. Sure you will pay more, but it would assist in eliminating a lot of concerns regarding physical access... *** Of course then considerations would need to be made to not have FreeNAS as the direct "Internet Facing" unit... ;)

 

[gpsguy]

While I did mention it in another thread (I don't use it, either), I *think* @pirateghost and/or @DrKK use it.

I believe @gpsguy mentioned VeraCrypt so maybe he will chime in about that (I don't have any experience with it).

 

[fta]

- case intrusion

I don't believe there's a built-in way to do this.

- power outage

This is supported. If your server reboots, you'll have to enter the passphrase to mount your pool.

Is it possible to enter a passphrase remotely (WAN)?

As long as you have access to the GUI, yes. I have VPN access to my network, which allows me to get in to the GUI from anywhere.

 

[lorchi]

Using 3rd party encryption is a valid proposal. I will think about it.

I am considering the ASRock E3C236D2I mobo with IPMI. It also has what they call "Restore on AC/Power Loss".
Okay, so that's good to know. I have never used KVM before, and will need to read how this works. What do I need at the client side?

But an SSH session should work as well I suppose?

It is doubtful that they would be after your data

I agree. But if it's "just a passphrase" to enter, it would be an almost "free lunch".

I will try to find the others' experiences (as you mentioned).

 

[lorchi]

As long as you have access to the GUI, yes.

Is the GUI a requirement here?

 

[DrKK]

I use what? Truecrypt/Veracrypt? Yes, religiously.

 

[Dice]

I use what? Truecrypt/Veracrypt? Yes, religiously.

Would you like to describe your setup?
What sort of client are you using (can it be run directly on freenas jails?)

 

[DrKK]

I am afraid I don't exactly understand what people are asking. I assume it has something to do with "what does DrKK do for encryption". So let me answer that.

99.91% of my data, at least on a per-megabyte basis, is either not sensitive at all, or only mildly sensitive. Therefore, the whole setup it is protected by the usual, more-than-enough, nerd vigilance, in that my WAN gateway, my routers, any wireless ingress, etc., is all locked down to an extent that it will thwart any bot- or script-kiddie-driven hacking. I am a strong believer that the 0.0001% marginal gains that nerds do with their security posture actually DECREASE their security. I think standard measures:

1. Minimizing the number of services forwarded through the WAN gateway
2. Not running anything on standard ports
3. Using a minimum of WPA2 with AES for any wireless
4. Allowing only certificate-based SSH authentication, rejecting password authentication
5. Regularly checking logs, manually
6. Any services that must be opened to the WAN run in fascistly locked down jails (see also 2 above)
7. Not letting anyone on my LAN that does not have at least my level of knowledge and understanding (I am less concerned about malicious LAN users, than I am about incompetent LAN users who bring malicious devices on to my LAN unknowingly due to incompetence).

more or less keep your home FreeNAS completely safe from "hackers" whatever that means (it usually means bots written to probe for vulnerabilities that morons leave wide open).

For the few things I have that must be fully resistant to data lossage to an adversary (tax returns, videos of me with cyberjock's mom, copies of passports, videos of Jordan with cyberjock's mom, etc), I simply create a TrueCrypt folder (not even Veracrypt), and store it in there. I assess that--generally speaking--TrueCrypt, with a strong password, is perfectly secure even against the most potent of adversaries, notwithstanding bullshit conspiracies. (Veracrypt is better than TrueCrypt only primarily in the sense that the way the hashing works, even a weaker, semi-guessable password will be prohibitively expensive to guess in most cases). But if your password is BallsShit1029NiShiShaGuaAnusAnusAnus0xDEADBEEFCyberj0ck'sm0/\/\ then you are in good hands with TrueCrypt 7.1a in my humble opinion.


And that's it. I would *NEVER* encrypt a whole device, or a whole filesystem. That's just foolish (I would of course allow the exception that an employer might be required by law or policy to encrypt the filesystem). First of all, as a percentage of bytes, very very very little of our data is worth even protecting, is it not? And even so, against whom would massive encryption protect me? Rajiv in the Western Digital RMA center in case I have to RMA a drive? What, Rajiv is going to:

1. give a shit about my drive
2. even know what ZFS is
3. now, giving a shit, and knowing what ZFS is, is going to mount the filesystem somehow with one device?
4. and given all of that, is going to find something he gives a shit about?

You see, for me, such a Rajiv probably doesn't exist. Such a person is doing much more interesting things in his life than fondling my drives upon RMA, no? And for the guy that breaks into my house and steals my NAS? If that guy even knew what a NAS was, he wouldn't be stealing shit. And if the guy he sells the stuff to has any interest at all in anything besides wiping and reselling the drives, I'd be surprised. So there's just no threat surface. And if a state-sponsored actor is after your data? Then you're screwed anyway. So....what's the point?

Thus, by encrypting an entire device at the filesystem level, I *substantially* increase my risk of data loss due to either accident or incompetence, and I do not necessarily reduce my risk of data spill in any meaningful way (since the threat surface is already thin). So there is a tremendous uptick in risk that you *create* by encrypting your pool, which is not matched by a corresponding increase in security, in my view. So that's why I don't do it.

But I of course see absolutely nothing wrong with a TrueCrypt encrypted "file container", and just storing that as-is on the NAS, for the presumably small amount of data that requires that kind of protection that each of us have.

That is, in fact, what I do. I have the following things in encrypted file containers:

• Firefox profile
• Thunderbird profile
• Pidgin profile
• Tax documents
• Passport scans
• and similar.

That's about it. The rest of my NAS is completely unencrypted, and I feel completely fine about that.