Encrypt NAS or not?

[mrex]

I have WD My Cloud DL2100 NAS, and i have encrypted the volume and set it automount it in a booting.

DL2100 (2x4tb)
raid1
volume encrypted
- automounting (because the device is scheduled to start up and shut down daily)

1) Is there any point to use encryption at all? if some one hijacks the device he can reset the admin password (needle reset from behind of the device) and hence access to all shares. Does the encryption only means that if someone takes hardrives with him he cannot access the media because those harddrives arent connected to the same device anymore? if someone is going to steal the harddrives im pretty sure he going to take the whole device with him, not only the harddrives...

2) and that leads to the second question: what if DL2100 becomes broken or malfunctioning any other way on some day and the device is needed to be changed or system is needed to be reseted, can i access to the harddrives anymore?? i do have the encryption password and i downloaded the preshared encryption key too.


because the admin password can be reseted so eadily just by pressing the reset button, it makes me wondering is there any point to use encryption...




Sent from my iPad Air 2 using Tapatalk

 

[joegreat]

Hi,

To me it sounds quite useless to have the internal encryption enabled.
I can only imagine one situation where it makes sense: You remove the drives and sell them, but you are not able/willing to erase them. In this case you are save as the drives are not readable outside of the WD NAS enclosure.

But there is also a downside: You are also not able to read them outside of the WD NAS as well if the enclosure is broken...

I have a self made NAS with 36 TB at home (yes, it's gross, but still a lot) and I do the opposite: All devices are pure Linux formatted and can be removed read and write outside of the NAS and put back into it. I only need to run the Parity/Sync creation (which happens anyway each night) to protect the data against drive failure.

My approach allows me to move drive in/out of the NAS as I need and to have alawys access to the data even if the NAS enclosure is broken.

With kind regards
Joe

 

[mrex]

Thanks, i just changed the configuration to a normal raid1 mode, because the encryption, as it is now, is useless (you can reset the admin password) and i have got two system failures so i quess i dont wont to loose access to the drives...

Have to find another way to encrypt some data..


Sent from iPhone 6S+

 

[KenZ71]

I'll ask the silly question-why encryption vs user authentication?

If your concerned about someone with physical access to the drives reading the data why not implement some security? That is put the NAS in a locked cabinet / room?

 

[stevech]

I encrypt sensitive personal info using SafeHouse software and that virtual disk is stored on the NAS. One click to mount and open.
I prefer not to use the NAS' encryption for many reasons.

 

[mrex]

I'll ask the silly question-why encryption vs user authentication?

user auth works only for shares on DL2100 and admin can access all data in the device. the problem here is that the admin password can be reseted just by pressing the reset button. so yes, it should be put in the locked safe place.

at the moment im using another external hard drive for data that need to be encrypted. DL2100 supports only the whole volume encryption - i wish they could add a function in their software to do a separate vault type file with a password. now you need to use 3rd party software for that.

DL2100 is a neat nas for a consumption device but the security is another thing...



Sent from my iPad Air 2 using Tapatalk

 

[stevech]

I use the free version of
http://www.safehousesoftware.com/
on my PCs.
This software creates and manages a single file that is a virtual disk. Mine is 1GB which is large enough for all my private information (financial, medical, etc.). That file (drive) is stored on my NAS and gets backed up as any other file on the NAS.

With the safehousesoftware install on my PCs, it is one click to mount the drive and a pop-up to enter the password. That done, there's a new drive letter (windows) which is that virtual disk. Drag/drop and all the usual operations work to/from that drive. When I'm done, I close the session window and the virtual drive is closed and unmounted. I don't keep it open unless I'm working on a sensitive file.

The vast majority of the files on my NAS are not sensitive and not encrypted - as there'd be no impact to me if these files were stolen. Of course, my NAS requires a password to access anything, and remote access uses SSL (I bought a certificate for it.)

The software listed above is free. There's a low cost pay version with more features, none of which I need.

The one file that is the encrypted drive is easily copied to, say, a thumb drive. I do that as an extra backup.

I tried 3 other similar open source and not-free equivalents but this software is stable and quick/easy to use.

 

[mrex]

thank you! have to check it if i cant get veracrypt work well enough.

im using veracrypt right now, but it is resource hog i think. i havent yet tried to move an encrypted file to the nas, but moved it to an usb harddrive connected to the router but in this case, it doesnt work well. so many errors comes when trying to move files to the container. ill try later to move the container to the nas if it is then working better.

i have containers from 1gb to 50gb.


Sent from my iPad Air 2 using Tapatalk

 

[stevech]

Did you follow me that SafeHouse Software does not encrypt each individual file... it encrypts a virtual drive. Better choice for me.
I do have some few files that I encrypt at the file level, simply using WinZip and AES. But those are few.

 

[KenZ71]

Using a service or software addon concerns me as I would be vulnerable if that entity were to cease to exist. Right? A few years ago wasn't True crypt thought to be the perfect solution for scenarios like this?

Not perfect but I prefer to have multiple users setup on my NAS4Free with different passwords and levels of permissions.

 

[stevech]

Using a service or software addon concerns me as I would be vulnerable if that entity were to cease to exist. Right? A few years ago wasn't True crypt thought to be the perfect solution for scenarios like this?

Not perfect but I prefer to have multiple users setup on my NAS4Free with different passwords and levels of permissions.

That's one reason why I don't use a service. Others include cost, slow speed due to my ISP's uplink, and risk of data exposure or loss from disgruntled employee/contractor.

All the good commercial NASes such as Synology and QNAP have of course, multi-user accounts and permissions.

I tried truecrypt but for frequent use as I have, it's too cumbersome as compared to free SafeHouse Software (which is not a service either).

 

[sfx2000]

Encrypting the filesystem might protect some data, but it will seriously complicate any kind of data recovery...

 

[mdgm]

Encrypting the filesystem might protect some data, but it will seriously complicate any kind of data recovery...

If you do what every user should and backup your data regularly then you shouldn't need data recovery. Data recovery may be unsuccessful and shouldn't be relied on.

Of course if you backup data on an encrypted volume then you need to consider how the backup is encrypted...

 

[mrex]

Did you follow me that SafeHouse Software does not encrypt each individual file... it encrypts a virtual drive. Better choice for me.
I do have some few files that I encrypt at the file level, simply using WinZip and AES. But those are few.

yeah, veracrypt makes containers too and you can select the file (=container) size. then when you start using them, they are mapped as virtual logical drives. But the cobtainers are large which im using - up to 50gb. Havent had time to try that 50gb container placed on the nas.. From usb harddrive (connected to the router) i get lots of errors when using the container. I hope it is going to work better on the nas.

Using a service or software addon concerns me as I would be vulnerable if that entity were to cease to exist. Right? A few years ago wasn't True crypt thought to be the perfect solution for scenarios like this?

Not perfect but I prefer to have multiple users setup on my NAS4Free with different passwords and levels of permissions.

I dont know how Nas4free works, but wd dl2100 lets admin to access all data on the nas. And if somebody steals the whole nas, he can reset the password just by pressing the physical reset button in the nas and then get access to all data on the nas. That's why i set the nas up again without an encryption. It protects nothing.

Veracrypt is based on truecrypt. You have the software on your own computer so if the project ends on someday, you still have the software and access to your data. you can use it or decrypt data and start using another encryption software..


Sent from iPhone 6S+

 

[stevech]

Since I encrypt only sensitive information, my virtual drive container file needs be only 1GB. It grew from 0.5GB in a couple of years.

The main attraction of SafeHouse Software, apart from being free and mature, is the super simple GUI in daily use. Just one click to yield the password UI, enter that, and boom, there's the new drive letter.

So the container file is stored on the NAS but to the NAS OS, it's just a plain file, no special treatment. My keychain 32GB flash drive has that file on it too and the SafeHouse software than can run directly from the flash drive without installing the software, when I need to use some other PC, e.g., on a trip to visit someone.

 

[Cake]

yeah, veracrypt makes containers too and you can select the file (=container) size. then when you start using them, they are mapped as virtual logical drives. But the cobtainers are large which im using - up to 50gb. Havent had time to try that 50gb container placed on the nas.. From usb harddrive (connected to the router) i get lots of errors when using the container. I hope it is going to work better on the nas.



I dont know how Nas4free works, but wd dl2100 lets admin to access all data on the nas. And if somebody steals the whole nas, he can reset the password just by pressing the physical reset button in the nas and then get access to all data on the nas. That's why i set the nas up again without an encryption. It protects nothing.

Veracrypt is based on truecrypt. You have the software on your own computer so if the project ends on someday, you still have the software and access to your data. you can use it or decrypt data and start using another encryption software..


Sent from iPhone 6S+

I have a suggestion on using truecrypt/veracrypt
Use a vps to store your password as a keyfile. Set up ssh so it doesn't require a password,
between your nas and vps. Edit fstab on your NAS in /init.d/ and add the line:

tmpfs /var/ram tmpfs nodev,nosuid,size=1M 0 0

Make sure to make a folder named ram in /var/ and give proper permissions.
This makes a 1MB ram disk in /var/ram and it gets mounted at boot.
Then put-->

scp yourSSHusername@yourVPSip:~/yourkeyfile /var/ram
sleep 10
truecrypt --non-interactive --protect-hidden=no -m=nokernelcrypto -k /var/ram/yourkeyfile ~/yourcontainer /media/yourmountedcontainer

into your /etc/init.d/rc.local file on your NAS
Now your password is fetched offsite, and your system can reboot without user input and mount containers.
Forgive me if I explaining too much I am a linux newbie somewhat.
I think it would be a good idea if you setup your offsite vps to only allowed ssh connection from the ip of your NAS would be a good thing to implement.