Research: Reliable file encryption with NAS drives?

[leeteq]

I am researching to find other's experience with using file encryption with NAS drives. Do you have any such insight and/or experience? With which "configuration" or "tools set"?

I am looking for information about the following:

1. Reliability related to working directly (one-by-one user per file) with encrypted vaults stored on the NAS, for example using TrueCrypt or SafeHouse software. What are the chances of corrupted archives if either there is a network error during a write operation, or any other reasons.

2. If using NTFS, is Windows' built-in file encryption reliable? (any reason it might not be possible?) That would only work for one-by-one user, I assume, meaning that users could only access their own encrypted files? What are the options of encrypting either the whole drive or just selected folders AND using user groups to both give access to more than one user AND let more than one user access the same folder simultaneously? Is this easier/possible on NAS drives that are using Linux OS and Linux file system?

Which software/tools/configurations are needed?

Any pointers or advice or thoughts are highly appreciated.

 

[sub mesa]

1. ZFS with crypto support (Beta)
2. G_ELI encryption on FreeBSD/FreeNAS
3. cryptfs on linux
4. encrypted image files on the NAS (like Truecrypt like you said)

In order of preference.
G_ELI would be the fastest if you have a quadcore CPU. Others are much less fast.

 

[leeteq]

Thanks for the pointers.

Anyone got "roughly credible" clues about when ZFS with crypto support might come in stable release? Weeks or months ahead or next year or what?

 

[sub mesa]

Within one year i'd say, its in beta quality right now but they changed some fundamental stuff which causes delays. I wouldn't be surprised though the merging to begin this year still.

But you can also use GELI for encryption, if you are choosing FreeBSD. GELI has the advantage of using all CPU cores for encryption, where ZFS will use only one (single threaded). So there's a large performance difference between two solutions. Eventually zfs-crypto might have multithread support, but i asked one of the devs and he doesn't see it happening it anytime soon. Though this is already six months ago since i asked.

 

[leeteq]

OK, thanks a lot for your information.

I assume that the user/group handling done by FreeBSD on the NAS drive is independent of users/groups on the personal computer(s).

How is the authentication handled?
Does the GELI/FreeNAS/FreeBSD solution require some software to be installed on each client computer that will access the NAS drive, for example Windows PC's, in order to identify the user?

I am reading up on this, some references:
http://en.wikipedia.org/wiki/Geli_(software)
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/disks-encrypting.html
http://www.freebsd.org/cgi/man.cgi?query=geli&apropos=0&sektion=0&manpath=FreeBSD+7.2-RELEASE&format=html
http://unix.derkeiler.com/Mailing-Lists/FreeBSD/current/2006-06/msg00122.html

 

[sub mesa]

Depends on how you wish to access your data. Usually if Windows is involved, the SMB/CIFS protocol is used. This is the windows filesharing protocol, and can turn FreeBSD or Linux into a fileserver that works with windows. The program that makes this work on FreeBSD and Linux is called Samba.

After setting up, simply go to your windows station, open a explorer window and type "\\10.0.0.15" in the address bar, changing the IP to the IP of the FreeBSD server. You get an authentication (username/password) dialog, if that is accepted you got permission to the volume. You can even mount the volume as a drive letter in Windows; for example X:\ or Z:\. If you reboot, simply click your Z: drive, then it will ask you for the password and it gets mounted. Pretty simple.

However, that authentication is only for the network access; the actual encrypted data needs to be open for this to work. Normally, the real password is entered when you mount your encrypted drive. This is something that you should do after rebooting the FreeBSD system, so you can access the encrypted data again. Accessing this goes like:
geli attach /dev/ad0s1

You can also combine GELI encryption with Journaling, striping, mirroring, RAID3/5 and JBOD configurations. Check up on geom modules to learn more, for example the wiki:

http://en.wikipedia.org/wiki/Geom

 

[sub mesa]

Anyway checkout FreeNAS, you can try it for yourself in a VM like the free Virtualbox, to see how it works and what features it has. If it can do what you want, you can set it up for real without the VM.

 

[leeteq]

Wow, thanks, splendid info

Ok, so if I understand this correctly, the encryption is done only within (by) the administrator user in FreeBSD:
When someone is authenticated from another machine, the data is encrypted and decrypted with the local/internal FreeBSD administrator user and transferred over the network using the user which the computer is logged onto the NAS drive with..?

Following that logic (correct me if I am wrong):
Is the encrypted volume in any way tied to that administrator user?
I hope it is not. As with for example the built-in encryption in Windows OS, if a user gets corrupted or the like, the encrypted archives are lost (impossible to open with another user account, regardless of if it is the same user name and password for a new user).
Can "user account corruption" happen in FreeBSD in this setting? If so, would it have any impact on the access to the encrypted volume?
If so, is it so that one should perhaps foresee this and create spare admins, a group they share, and give that group access to the encrypted volume, so that it would be possible to get around such a situation?

Can there be more user accounts, admins and groups within this version of FreeBSD on a NAS, or is that irrelevant in this setting?

 

[sub mesa]

Some answers:

1) in the GELI example, it would need to be opened by the root user (or via web-interface in the case of FreeNAS; which i recommend you use because its so easy to setup and try if it works). Once the passphrase is entered, the device is kept open for all network access. You can define network access with user access control independent of the encryption. The encryption works on the whole drive/volume so not parts of it. Either its open/unencrypted or its closed/encrypted.

2) this kind of encryption does NOT protect against hostile action against a running machine with the encrypted volume opened. It could even know your passphrase by looking in the RAM. Although this isn't as simple as it sounds, this kind of protection is usually aimed at COLD machine state; when its powered down.

3) Any 'configuration' of GELI or another GEOM-layer is stored on the disks themselves. So this kind of thing is 100% hardware independent (you could clone the disks and still it should work) while not requiring any configuration file on the system disk. So if you would give me your disks and only your disks (not the system disk) and give me your password, i can access your data i don't need anything else. So its very portable and safe.

4) all kinds of user access control works independent of the encryption. Any access control you want to do is likely to be happening on the Samba-layer (at the level of the SMB/CIFS filesharing protocol).

 

[leeteq]

Ok, great. Might be what I am looking for.

How are security updates handled in FreeNAS? (For example for Samba, for the OS itself, etc.). I am vaguely aware of a "ports" system in FreeBSD that is supposed to handle system updates somehow similar to how "apt-get" works in Linux. Does FreeNAS have such features? I assume that one can configure it so that it is done only manually, not automatically/scheduled?

Some references:

[HOWTO] FreeNAS Firewall Configuration.
http://sourceforge.net/apps/phpbb/freenas/viewtopic.php?f=18&t=462

http://www.freebsd.org/doc/en/books/handbook/firewalls-ipfw.html

m0n0wall and Freenas on the same box?
http://www.experts-exchange.com/OS/Unix/BSD/FreeBSD/Q_23954007.html

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ports.html
http://www.lpthe.jussieu.fr/~talon/freebsdports.html