1
I am currently setting up my NAS, which is running Ubuntu server, one SSD for the OS and a RAID 5 HDD array. I'd like the RAID array to be encrypted in a manner that still allows it to be accessible in a convenient manner.
The data needs to be accessible over the network with Windows and Linux clients from one user, so I was thinking I could use SMB. But how do I realize the encryption part? Encrypting individual files is too inconvenient, instead I would like an authorized user to access the file plainly. Full disk encryption would at least require SSH access to unlock the HDD after a reboot - again, not very convenient. Is there a way to have full disk encryption and unlock it with the credentials of the SMB user?
1encryption is never that easy. if it is, its completely useless. if the adversary need only power on the system in order to gain access to the cleartext, then there is essentially no point in encrypting it. what specific type of adversarial action are you trying to prevent? – Frank Thomas – 2018-04-13T15:20:53.310
Theft mostly - I don't want to store my most important and private data plainly on unencrypted drives. – Andreas Hartmann – 2018-04-13T19:14:30.383
see, thats the problem. if someone steals your NAS, and it's set to automatically unlock on boot, then they won't have any trouble accessing your data. Keep in mind that FDE systems unlock at mount time, not before or after, so its either at boot, or the user is mounting on demand, which would generally require some kind of system level access like ssh. you can't "share" an unmounted resource, so no, SMB usage could not mount a FDE disk for on-the-fly decryption. – Frank Thomas – 2018-04-16T13:55:15.447
Why can't I have it never unlock, and instead have it transfer the encrypted data to the client which then unlocks it with its credentials? – Andreas Hartmann – 2018-04-16T19:04:42.573
Similarly to how I would do it with per file encryption, but more convenient. I'm aware that file system level encryption isn't going to work in this situation. – Andreas Hartmann – 2018-04-16T19:05:44.637
because an encrypted volume is one big binary file, until its decrypted, and a filesystem becomes visible inside that file. To do as you suggest with volume encryption would require the entire volume to be sent to you and decrypted on the client. even if you used some other encryption paradigm, SMB would have to be modified to actually perform as you expect. – Frank Thomas – 2018-04-16T19:23:58.863
Perhaps your best bet is to create an encrypted volume file (like a TrueCrypt .Tc file) and store it on the share. then the client can open up truecrypt (or veracrypt or ciphershed or whatever) on their end, and open the file in it. I do that with my most sensitive info. that way the volume remains encrypted until I open it via my client software, but the file is still accessible via SMB. – Frank Thomas – 2018-04-16T19:26:04.820