Encryption support plans?

  • I'm sure someone could develop a plugin, I'm not sure if any changes to core would be needed. There's a plugin request section. One of my issues with encryption is how to handle decrypting the disks when headless?


    I'd want the boot process to continue but not mount the encrypted FSes until someone unlocks them from the web GUI?

  • First of all, you guys already acknowledged the biggest problem of encrypting stuff, the need to decrypt it. Thus, either you have to have your system run 24/7 which can leave your data vulnerable in certain conditions or you have to live with the fact that you have to type in your password regularly to decrypt your data.


    Currently none of the Plugin devs said that they're interested in developing a Plugin for encryption. Volker hasn't said a word about it either, too.


    I'd suggest to use a VeraCrypt Container, its the successor to TrueCrypt. Use an encrypted Container, that might be the best way to achieve encryption with OpenMediaVault in the current state.


    Greetings
    David

    "Well... lately this forum has become support for everything except omv" [...] "And is like someone is banning Google from their browsers"


    Only two things are infinite, the universe and human stupidity, and I'm not sure about the former.

    Upload Logfile via WebGUI/CLI
    #openmediavault on freenode IRC | German & English | GMT+1
    Absolutely no Support via PM!

  • Currently none of the Plugin devs said that they're interested in developing a Plugin for encryption. Volker hasn't said a word about it either, too.


    Thanks you clearly answering my question. Basically, there are no plans for builtin encryption support.


    Only down side with encryption container like truecrypt is that the decryption happens on the client end and for one user only.


    Guess http://wiki.openmediavault.org…f_boot_disk_to_store_data is the only route to take.

  • I'm not sure that's totally true. I'm very interested in developing an encfs as well as luks plugin, I just don't have the time at the moment. I might sometime soon as I'm currently using an encfs USB drive to do backups. Why do you think VeraCrypt is any better than LUKS? LUKS is built in to the kernel.


    @UchiyamaSuzuko and others, it's never too late to learn how to build plugins ;-).


    Edit: Soon meaning sometime in the next year or so...

  • Why do you think VeraCrypt is any better than LUKS? LUKS is built in to the kernel.


    In terms of encryption strength I have no clue which is better. But with luks multiple clients can access the same shared data as it becomes transparent to the user and OMV. Plus any VM or plugin doesn't need to be aware of having to mount containers etc. I'm fine with having to enter a password upon bootup and leaving it running 24/7; its the purpose of a NAS. If I was the only user then vercrypt containers would work fine.

  • Why do you think VeraCrypt is any better than LUKS? LUKS is built in to the kernel.


    If you know VeraCrypt (or knew TrueCrypt) you know why I suggested it. It's the easiest solution for Users for the time beeing. I apologize if I didn't remember that you said you had interest in encryption. ;)


    Greetings
    David

    "Well... lately this forum has become support for everything except omv" [...] "And is like someone is banning Google from their browsers"


    Only two things are infinite, the universe and human stupidity, and I'm not sure about the former.

    Upload Logfile via WebGUI/CLI
    #openmediavault on freenode IRC | German & English | GMT+1
    Absolutely no Support via PM!

  • You're fine. I did use TrueCrypt, I don't see why it's easier on a Linux box than native encryption for an entire filesystem, unless you're suggesting they create an encrypted container on an existing drive which...has a lot of drawbacks and is hackery that needs to be done carefully for the rest of OMV to work. Are you suggesting they install a desktop environment so they can use a VeraCrypt GUI?


    Now, it's certainly easier on a desktop system for a container within the larger system (though I'd never create a many-terabyte container on a RAID, maybe if the RAID was XFS?) or for an external drive but the key being desktop system, where you have access to the VeraCrypt GUI.


    For a console:


    Code
    dd if=/dev/urandom of=/data/encrypted bs=1G count=128 # Or /dev/random if you want to be more secure
    cryptsetup -y luksFormat /data/encrypted
    cryptsetup luksOpen /data/encrypted encrypted
    mkfs.ext4 -j /dev/mapper/encrypted
    mkdir /media/encrypted
    mount /dev/mapper/encrypted /media/encrypted


    Doesn't seem too bad. Mounting it again later with


    Code
    cryptsetup luksOpen /data/encrypted encrypted
    mount /dev/mapper/encrypted /media/encrypted


    Is quite easy and scriptable. You still end up with a huge container on your filesystem (the example being 128gb). I'd prefer to use something like encfs, which encrypts individual files but it has some weaknesses. I'm hoping that https://github.com/vgough/encfs will be ready and viable soon for that purpose.


    The trick is integrating whatever encryption software is used with the OMV GUI and system so it works sufficiently seamlessly.

  • unless you're suggesting they create an encrypted container on an existing drive which...


    Thats what I'm suggesting.


    has a lot of drawbacks and is hackery that needs to be done carefully for the rest of OMV to work.


    Doesn't sound hackery to me.


    Are you suggesting they install a desktop environment so they can use a VeraCrypt GUI?


    I mean, creating a container that is stored on the NAS and opened on the Client.


    This is far from a anything clean and gui integrated, but for me it's a solution for everybody that yells for encryption. Because, it simple offers what they want. Encryption of their data.


    Greetings
    David

    "Well... lately this forum has become support for everything except omv" [...] "And is like someone is banning Google from their browsers"


    Only two things are infinite, the universe and human stupidity, and I'm not sure about the former.

    Upload Logfile via WebGUI/CLI
    #openmediavault on freenode IRC | German & English | GMT+1
    Absolutely no Support via PM!

  • Zitat

    I mean, creating a container that is stored on the NAS and opened on the Client


    What about multiple clients having access to the same container? I'll agree that, in your use case, VeraCrypt is effectively necessary since it's the only real cross platform solution.

  • What about multiple clients having access to the same container?


    That'd be read-only (at least from what I could pick up from TrueCrypt). But I'd suggest a dedicated container for each user, so thats no biggie.


    Greetings
    David

    "Well... lately this forum has become support for everything except omv" [...] "And is like someone is banning Google from their browsers"


    Only two things are infinite, the universe and human stupidity, and I'm not sure about the former.

    Upload Logfile via WebGUI/CLI
    #openmediavault on freenode IRC | German & English | GMT+1
    Absolutely no Support via PM!

  • Zitat von "ikogan"

    encfs can also be used for encrypting individual directories and being transparent to all file sharing tools (thought it has a few cryptographic weaknesses).


    Yeah, that's where filesystem level encryption shines vs block level's.
    We don't need decryption on the NAS side to sync or restore our encrypted data: Once backed up in OMV encrypted, it's available for sync'in/restoring to any device, where it'll be (auto-)decrypted, voilà.


    /path/to/encrypted_content # safely sync'ed or backed up on OMV;
    /path/to/decrypted_content # used as any unencrypted dir on client only;


    That's the first step to keeping our contents private. Next:


    Zitat von "UchiyamaSuzuko"

    I would assume the storage will be inaccessible [in OMV] until you log into the webUI to mount the encrypted volume with your password?


    Zitat von "FeraTechInc"

    only decrypt the contents any time a user connects via ssh/ftp using their password to decrypt the data


    Yeah, so now:


    /path/to/encrypted_content # safely backed up and sync'able on/from OMV;
    /path/to/decrypted_content # upon login (e.g. via ssh) then used as any unencrypted dir on OMV.


    That's what I use for 5-6 years on my Arch-based laptops (where it works real good), as per https://wiki.archlinux.org/index.php/ECryptfs#Auto-mounting. More importantly it's a big point in Chromium/e OS data privacy model*, or in a less techy language here « Sign-In and Encryption ».


    So the following, while factual, is not a problem to add for filesystem encryption support in OMV and use it effectively as it seems to me:

    Zitat von "davidh2k"

    First
    of all, you guys already acknowledged the biggest problem of encrypting
    stuff, the need to decrypt it. Thus, either you have to have your
    system run 24/7 which can leave your data vulnerable in certain
    conditions or you have to live with the fact that you have to type in
    your password regularly to decrypt your data.


    EDIT: for better readability hopefully.


    (*) which is flawed in other ways --none affecting OMV I believe.

  • So the following is not even a problem/needed for filesystem encryption support in OMV to be used effectively as it seems to me:


    Um... could you elaborate on how you think this scenario works? Are you only speaking of regular backups? Sure, you probably don't have to access them regularly and if its a asynchronous encryption that task could be automated, doesn't help much with Data I need to access regularly?!


    Greetings
    David

    "Well... lately this forum has become support for everything except omv" [...] "And is like someone is banning Google from their browsers"


    Only two things are infinite, the universe and human stupidity, and I'm not sure about the former.

    Upload Logfile via WebGUI/CLI
    #openmediavault on freenode IRC | German & English | GMT+1
    Absolutely no Support via PM!

  • @davidh2k thank you for showing interest. Well from ikogan's quote to 'So, ...' my post above is all about elaborating on how I think this scenario works. For sync'ing as well as for backup, enc/decryption being done on the client side only... Until a plugin gives OMV the ability to act as a client. sorry, I was unclear.


    In other words: securely encrypt your files in the cloud (see the « Set Up EncFS On Linux » part). But since that part of the cloud --OMV-- is in our hands, why refrain trusting? Should be able to encrypt and decrypt no less than, say, your Ubuntu (and even more than my chrome OS laptop). PS will adjust a couple of bits in my previous message but please note English's not my first language.

  • Uhm, and what do the users if they use windows?


    Greetings
    David

    "Well... lately this forum has become support for everything except omv" [...] "And is like someone is banning Google from their browsers"


    Only two things are infinite, the universe and human stupidity, and I'm not sure about the former.

    Upload Logfile via WebGUI/CLI
    #openmediavault on freenode IRC | German & English | GMT+1
    Absolutely no Support via PM!

  • Could start asking their software provider about its support of Encfs, Ecryptfs or else open source encryption tool.
    I dunno, and am not on Microsoft payload. OMV is Debian GNU/Linux powered if I remember well.


    EDIT: EncFS works on Linux as well as Mac through macfuse or Windows using BoxCryptor. There might be other ways of getting it to work under Windows but I don't use Windows so you're on your own here.

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!