Encryption support plans?

    • First of all, you guys already acknowledged the biggest problem of encrypting stuff, the need to decrypt it. Thus, either you have to have your system run 24/7 which can leave your data vulnerable in certain conditions or you have to live with the fact that you have to type in your password regularly to decrypt your data.

      Currently none of the Plugin devs said that they're interested in developing a Plugin for encryption. Volker hasn't said a word about it either, too.

      I'd suggest to use a VeraCrypt Container, its the successor to TrueCrypt. Use an encrypted Container, that might be the best way to achieve encryption with OpenMediaVault in the current state.

      Greetings
      David
      "Well... lately this forum has become support for everything except omv" [...] "And is like someone is banning Google from their browsers"

      Only two things are infinite, the universe and human stupidity, and I'm not sure about the former.


      Upload Logfile via WebGUI/CLI
      #openmediavault on freenode IRC | German & English | GMT+1
      Absolutely no Support via PM!

      I host parts of the omv-extras.org Repository, the OpenMediaVault Live Demo and the pre-built PXE Images. If you want you can take part and help covering the costs by having a look at my profile page.
    • davidh2k wrote:

      Currently none of the Plugin devs said that they're interested in developing a Plugin for encryption. Volker hasn't said a word about it either, too.


      Thanks you clearly answering my question. Basically, there are no plans for builtin encryption support.

      Only down side with encryption container like truecrypt is that the decryption happens on the client end and for one user only.

      Guess wiki.openmediavault.org/index.…f_boot_disk_to_store_data is the only route to take.
    • I'm not sure that's totally true. I'm very interested in developing an encfs as well as luks plugin, I just don't have the time at the moment. I might sometime soon as I'm currently using an encfs USB drive to do backups. Why do you think VeraCrypt is any better than LUKS? LUKS is built in to the kernel.

      @UchiyamaSuzuko and others, it's never too late to learn how to build plugins ;-).

      Edit: Soon meaning sometime in the next year or so...
    • ikogan wrote:

      Why do you think VeraCrypt is any better than LUKS? LUKS is built in to the kernel.


      In terms of encryption strength I have no clue which is better. But with luks multiple clients can access the same shared data as it becomes transparent to the user and OMV. Plus any VM or plugin doesn't need to be aware of having to mount containers etc. I'm fine with having to enter a password upon bootup and leaving it running 24/7; its the purpose of a NAS. If I was the only user then vercrypt containers would work fine.
    • ikogan wrote:

      Why do you think VeraCrypt is any better than LUKS? LUKS is built in to the kernel.


      If you know VeraCrypt (or knew TrueCrypt) you know why I suggested it. It's the easiest solution for Users for the time beeing. I apologize if I didn't remember that you said you had interest in encryption. ;)

      Greetings
      David
      "Well... lately this forum has become support for everything except omv" [...] "And is like someone is banning Google from their browsers"

      Only two things are infinite, the universe and human stupidity, and I'm not sure about the former.


      Upload Logfile via WebGUI/CLI
      #openmediavault on freenode IRC | German & English | GMT+1
      Absolutely no Support via PM!

      I host parts of the omv-extras.org Repository, the OpenMediaVault Live Demo and the pre-built PXE Images. If you want you can take part and help covering the costs by having a look at my profile page.
    • You're fine. I did use TrueCrypt, I don't see why it's easier on a Linux box than native encryption for an entire filesystem, unless you're suggesting they create an encrypted container on an existing drive which...has a lot of drawbacks and is hackery that needs to be done carefully for the rest of OMV to work. Are you suggesting they install a desktop environment so they can use a VeraCrypt GUI?

      Now, it's certainly easier on a desktop system for a container within the larger system (though I'd never create a many-terabyte container on a RAID, maybe if the RAID was XFS?) or for an external drive but the key being desktop system, where you have access to the VeraCrypt GUI.

      For a console:

      Source Code

      1. dd if=/dev/urandom of=/data/encrypted bs=1G count=128 # Or /dev/random if you want to be more secure
      2. cryptsetup -y luksFormat /data/encrypted
      3. cryptsetup luksOpen /data/encrypted encrypted
      4. mkfs.ext4 -j /dev/mapper/encrypted
      5. mkdir /media/encrypted
      6. mount /dev/mapper/encrypted /media/encrypted


      Doesn't seem too bad. Mounting it again later with

      Source Code

      1. cryptsetup luksOpen /data/encrypted encrypted
      2. mount /dev/mapper/encrypted /media/encrypted


      Is quite easy and scriptable. You still end up with a huge container on your filesystem (the example being 128gb). I'd prefer to use something like encfs, which encrypts individual files but it has some weaknesses. I'm hoping that github.com/vgough/encfs will be ready and viable soon for that purpose.

      The trick is integrating whatever encryption software is used with the OMV GUI and system so it works sufficiently seamlessly.
    • ikogan wrote:

      unless you're suggesting they create an encrypted container on an existing drive which...


      Thats what I'm suggesting.

      ikogan wrote:

      has a lot of drawbacks and is hackery that needs to be done carefully for the rest of OMV to work.


      Doesn't sound hackery to me.

      ikogan wrote:

      Are you suggesting they install a desktop environment so they can use a VeraCrypt GUI?


      I mean, creating a container that is stored on the NAS and opened on the Client.

      This is far from a anything clean and gui integrated, but for me it's a solution for everybody that yells for encryption. Because, it simple offers what they want. Encryption of their data.

      Greetings
      David
      "Well... lately this forum has become support for everything except omv" [...] "And is like someone is banning Google from their browsers"

      Only two things are infinite, the universe and human stupidity, and I'm not sure about the former.


      Upload Logfile via WebGUI/CLI
      #openmediavault on freenode IRC | German & English | GMT+1
      Absolutely no Support via PM!

      I host parts of the omv-extras.org Repository, the OpenMediaVault Live Demo and the pre-built PXE Images. If you want you can take part and help covering the costs by having a look at my profile page.
    • ikogan wrote:

      What about multiple clients having access to the same container?


      That'd be read-only (at least from what I could pick up from TrueCrypt). But I'd suggest a dedicated container for each user, so thats no biggie.

      Greetings
      David
      "Well... lately this forum has become support for everything except omv" [...] "And is like someone is banning Google from their browsers"

      Only two things are infinite, the universe and human stupidity, and I'm not sure about the former.


      Upload Logfile via WebGUI/CLI
      #openmediavault on freenode IRC | German & English | GMT+1
      Absolutely no Support via PM!

      I host parts of the omv-extras.org Repository, the OpenMediaVault Live Demo and the pre-built PXE Images. If you want you can take part and help covering the costs by having a look at my profile page.
    • "ikogan" wrote:

      encfs can also be used for encrypting individual directories and being transparent to all file sharing tools (thought it has a few cryptographic weaknesses).

      Yeah, that's where filesystem level encryption shines vs block level's.
      We don't need decryption on the NAS side to sync or restore our encrypted data: Once backed up in OMV encrypted, it's available for sync'in/restoring to any device, where it'll be (auto-)decrypted, voilà.

      /path/to/encrypted_content # safely sync'ed or backed up on OMV;
      /path/to/decrypted_content # used as any unencrypted dir on client only;

      That's the first step to keeping our contents private. Next:

      "UchiyamaSuzuko" wrote:

      I would assume the storage will be inaccessible [in OMV] until you log into the webUI to mount the encrypted volume with your password?

      "FeraTechInc" wrote:

      only decrypt the contents any time a user connects via ssh/ftp using their password to decrypt the data

      Yeah, so now:

      /path/to/encrypted_content # safely backed up and sync'able on/from OMV;
      /path/to/decrypted_content # upon login (e.g. via ssh) then used as any unencrypted dir on OMV.

      That's what I use for 5-6 years on my Arch-based laptops (where it works real good), as per wiki.archlinux.org/index.php/ECryptfs#Auto-mounting. More importantly it's a big point in Chromium/e OS data privacy model*, or in a less techy language here « Sign-In and Encryption ».

      So the following, while factual, is not a problem to add for filesystem encryption support in OMV and use it effectively as it seems to me:

      "davidh2k" wrote:

      First
      of all, you guys already acknowledged the biggest problem of encrypting
      stuff, the need to decrypt it. Thus, either you have to have your
      system run 24/7 which can leave your data vulnerable in certain
      conditions or you have to live with the fact that you have to type in
      your password regularly to decrypt your data.


      EDIT: for better readability hopefully.

      (*) which is flawed in other ways --none affecting OMV I believe.

      The post was edited 1 time, last by datruche ().

    • datruche wrote:

      So the following is not even a problem/needed for filesystem encryption support in OMV to be used effectively as it seems to me:


      Um... could you elaborate on how you think this scenario works? Are you only speaking of regular backups? Sure, you probably don't have to access them regularly and if its a asynchronous encryption that task could be automated, doesn't help much with Data I need to access regularly?!

      Greetings
      David
      "Well... lately this forum has become support for everything except omv" [...] "And is like someone is banning Google from their browsers"

      Only two things are infinite, the universe and human stupidity, and I'm not sure about the former.


      Upload Logfile via WebGUI/CLI
      #openmediavault on freenode IRC | German & English | GMT+1
      Absolutely no Support via PM!

      I host parts of the omv-extras.org Repository, the OpenMediaVault Live Demo and the pre-built PXE Images. If you want you can take part and help covering the costs by having a look at my profile page.
    • @davidh2k thank you for showing interest. Well from ikogan's quote to 'So, ...' my post above is all about elaborating on how I think this scenario works. For sync'ing as well as for backup, enc/decryption being done on the client side only... Until a plugin gives OMV the ability to act as a client. sorry, I was unclear.

      In other words: securely encrypt your files in the cloud (see the « Set Up EncFS On Linux » part). But since that part of the cloud --OMV-- is in our hands, why refrain trusting? Should be able to encrypt and decrypt no less than, say, your Ubuntu (and even more than my chrome OS laptop). PS will adjust a couple of bits in my previous message but please note English's not my first language.
    • Uhm, and what do the users if they use windows?

      Greetings
      David
      "Well... lately this forum has become support for everything except omv" [...] "And is like someone is banning Google from their browsers"

      Only two things are infinite, the universe and human stupidity, and I'm not sure about the former.


      Upload Logfile via WebGUI/CLI
      #openmediavault on freenode IRC | German & English | GMT+1
      Absolutely no Support via PM!

      I host parts of the omv-extras.org Repository, the OpenMediaVault Live Demo and the pre-built PXE Images. If you want you can take part and help covering the costs by having a look at my profile page.
    • Could start asking their software provider about its support of Encfs, Ecryptfs or else open source encryption tool.
      I dunno, and am not on Microsoft payload. OMV is Debian GNU/Linux powered if I remember well.

      EDIT: EncFS works on Linux as well as Mac through macfuse or Windows using BoxCryptor. There might be other ways of getting it to work under Windows but I don't use Windows so you're on your own here.

      The post was edited 1 time, last by datruche ().