How would i Encrypt RAID1 NAS?

Toggle sidebar Toggle sidebar
chris_shadez

chris_shadez

Distinguished
Oct 22, 2013
652
1
19,565
Have a NAS drive 1TB ;http://buffalo.nas-central.org/wiki/Category:LS-WXL
It's an enclosure with 2x 1TB SATA's, one being mirrored as it is RAID1
I usually Backup/Format/Encrypt/Transfer back data but never done so on a RAID or a NAS attached to a network with pc's ranging from XP-Win7-Win8 in the office, so don't know how it works

Have DiskCryptor which says it doesn't require drive to be formatted, would i be able to just encrypt each of the mirrored drives and be done with it?

Or would it be best i purchase another 1TB SATA, encrypt it, clone one of the NAS drives and replace it with the new cloned & encrypted drive? (I do have a Cloning HDD Caddy)
 
Solution
Tom Tancredi
Windows comes with encryption if your using PRO/Business Editions FYI. The problem with the NAS is, if it doesn't have the encryption 'onboard' the hardware, it doesn't know what to do / what it is and can cause the RAID to break (the High Risk I mentioned). As the link I provided gave a example and as there is other examples out there, you could encrypt a 'folder' on the NAS using several encryption software solutions and only the key inputted by the user would be successful in penetration even if the NAS was stolen. I would suggest if there is a high risk of theft that the location of the 'hardware' be secured down physically as well.

Numerous steel locks (unless your a targetted specific company) and cabling is fine for normal...
Sort by date Sort by votes
Tom Tancredi

Tom Tancredi

Judicious
May 9, 2013
4,999
0
32,960
Personally I wouldn't do this at all. The problems your running into being in the situation you have is HIGH RISK of FAILURE of the RAID itself. See RAID in itself (as your probably aware) writes the data across multiple drives, even if you just have it as a mirror (RAID 1), so there isn't just 'one drive' with data you can hook up to any old computer and 'read it'. It has to have exactly the way it is right now (these exact drives as configured) to work. Adding Encryption enhances the risk 1000 fold AND greatly slows things down. Further ONLY the systems with the right 'key' can access the drive, in some 'software' cases you actually have to install the software on each 'user' computer that will connect for it to 'decrypt/encrypt' the data. So you having it on YOUR computer just shut out everyone else.

If your at this level (RAID or a NAS attached to a network with pc's ranging from XP-Win7-Win8 in the office needing Encryption) it is time to reinvest in a better, more RELIABLE, less RISK (total loss of the data) solution. You should invest in a RAID 5 Array with HARDWARE LEVEL ENCRYPTION. This is much more secure and reliable, as the hardware itself is encrypting the software at the RAID device, rather then 'across the wire' from the user machine to the RAID and back again to verify the data was received and de/encrypted. Also having a multiple drive RAID means that if one drive fails, you can 'hot swap' the drive out and the RAID will self heal the new drive when inserted with NO DOWNTIME, as compared to your RAID 1, if the drive fails, then the RAID is unusable until it has time to be shut down, replaced, and then recopied over - all time the data is inaccessible. Lastly RAID is very susceptible to variance, that is something 'jolts it' the wrong way (encrypting / decrypting, power surge / drops, etc.) can cause the RAID to corrupt and 'break' losing everything inside the 'RAID container' which is NOT recoverable in ANYWAY due to how the data is store 'here and there and there and here' on the fly.

Here is just one quick Google suggestion http://www.micronet.com/products/raidbank5.html
 
Upvote 0 Downvote
B

boosted1g

Titan
Jun 12, 2013
14,846
8
74,965


I could have sworn you can read a drive from a RAID 1 array just fine if you removed it from the array. Any other RAID no, as the data is striped across many drives. If I am correct then software enctyption on a RAID 1 is no harm no foul, now for all other RAID then yes it is asking for poblems.
 
Upvote 0 Downvote
chris_shadez

chris_shadez

Distinguished
Oct 22, 2013
652
1
19,565
Nice detailed info there. Purchasing a RAID 5 is way out of possibility here.
My uncle owns a Financial Advisory firm, He saw the risk of non encrypted drives and so wants this RAID1 NAS drive encrypted, I'm the only IT 'techie' he knows who did penetration testing and so wanted me to encrypt the NAS, as i did with his laptops.
Thought it would be just as simple as a laptop drive but did not realise it was a RAID1 the enclosure was housing, firstly, didn't want to encrypt it through my linux 'Kali' tools as i knew there would be issues with it communicating with other Microsoft OS systems.
DiskCryptor is the only windows encryption I've used lately and found it could not locate a networked drive firstly and realised there may be issues with it being a mirrored duo.

The small office setup:

Office is a 3 storey house, fully Ethernet wired, wall jacks in all rooms.
Router / Ethernet switchboard / RAID1 NAS Drive are in a locked room out of sight.
NAS drive is regularly backed up to other portable drives, in case of NAS failure
Wifi is as secure as required

He wants data onsite to be protected in case of burglary, they could use a bootable linux disk to access an unencrypted pc (bypass windows login password) and access the unencrypted drive (bypass its standard login user/password), as i demonstrated with a bootable Kali pen drive

...encryption sorted the towers and laptops but NAS drive vulnerable by the ethernet wall jacks (it is a known IFA building, so it would be considered a possible threat to secure)

So what would be the best solution for encrypting this NAS? Preferably not but RAID1 can be removed if required - if possible.
The drive does have a female usb port, assuming a male to male usb cable would connect it to a pc if need be

Note: Got rid of the XP systems today, will replace them with a win7 towers, All systems in use are now Win7+8
 
Upvote 0 Downvote
Tom Tancredi

Tom Tancredi

Judicious
May 9, 2013
4,999
0
32,960
Windows comes with encryption if your using PRO/Business Editions FYI. The problem with the NAS is, if it doesn't have the encryption 'onboard' the hardware, it doesn't know what to do / what it is and can cause the RAID to break (the High Risk I mentioned). As the link I provided gave a example and as there is other examples out there, you could encrypt a 'folder' on the NAS using several encryption software solutions and only the key inputted by the user would be successful in penetration even if the NAS was stolen. I would suggest if there is a high risk of theft that the location of the 'hardware' be secured down physically as well.

Numerous steel locks (unless your a targetted specific company) and cabling is fine for normal theft stopping (remember they are under the clock, the longer it takes the more likely they will be caught, so they normally are 'smash and grab'). Next would be a open steel meshed case, so the equipment is both visible (cameras), locked away from any access, and yet still 'breathe' and not overheat. This also is true for all the computers themselves, encrypted or not, they are MORE likely to just 'pawn them' then anything else not caring about data intrusion (again unless specifically targeted for Espionage). The same 'steel' case cane be put around the computers cases themselves as well, drilled into the furniture, and thus would need (like a ATM) to carry the whole thing out to 'steal' a computer.

Assigning Laptop would be more economical and secure, as the normal business process would be to unplug them all and then secure them in the vault, safe, cage, etc. Also would keep your Uncle 'modern' as many 'customers' may wish a 'in person' or other 'locational' visit, which then your Uncle and staff isn't 'hindered' being tied to a desktop and can carry their information with them for the client.

Physical threat analysis is limited, as there comes a point to the cost vs benefit ratio depending how hardcore you want to go. Like for example what is the point of having WIFI if your hardwired everyone? Personally this is where benefit crashes into cost, as the ability of the 'mobile workforce' and being able to just 'pick up' a laptop and walk it into a conference room with a client is MORE business savvy then being 'tied down' to a wired connection (and much less likely to cause the wired port constant plug / unplug breakage).

I see where your trying to help, and as a Engineer, I seen wonderful stuff provided, but when it comes to 'customer service' and 'doing business' there is a crux point one needs to balance between the 'absolute security' you COULD do, and what security you SHOULD do.
 
Upvote 0 Downvote
Solution
chris_shadez

chris_shadez

Distinguished
Oct 22, 2013
652
1
19,565
Thanks for the detailed info and pointers
All laptops and portable drives are taken with staff when premises is vacant. They've made alot of changes since I came in, such as more all wired systems with the help of network switches, locked room for router/nas, individual passwords opposed to same for all and etc...
They're just struggling to move sensitive data to cloud on budget due to IFA regulations etc so were eager to encrypt the nas but thing will move on soon.
Appreciated the time for detailed replies =)
 
Upvote 0 Downvote
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom