Encryption - automatic unlock?

    • OMV 4.x
    • Encryption - automatic unlock?

      hello,

      Just got a couple of Odroid HC2 on which I am installing OVM v4, and I'm looking for assistance regarding drive encryption. I came across the LUKS plugin, but it does not seem to be able to unlock the drive automatically upon boot. Not sure why is that, I'm sure there's a reason, but I need that functionality nonetheless.

      if not LUKS, which I planned to used on an ext4 partition, are there any other ways..?

      Thanks!
    • An encryption scheme where the encryption is automatically unlocked during reboot seem pretty useless to me. Why even bother?

      I would assume that the point is to deny unauthorized access to the data in case of theft? Or at least guarantee that the data is unavailable after any form of power cycling?
      OMV 4, 7 x ODROID HC2, 1 x ODROID HC1, 5 x 12TB, 1 x 8TB, 1 x 2TB SSHD, 1 x 2TB SSD, GbE, WiFi mesh
    • hello,

      The idea is to prevent access to personal information in case of a theft. Even if the drive is automatically unlocked, you would still need to login to the NAS to get access to the files, right? and if the drive is removed from the case, it would be encrypted. So I will look into crypttab for this purpose, thanks for the pointer.

      But perhaps I need to learn how others are dealing with drive encryption, as there might be an easier way for my use case.

      I am planning to access the NAS from remote locations via FTP - but maybe I can use another method, which could allow me to run a script remotely to unlock and mount the drive only when needed? I need this to be "wife" ready, so automation is key.

      thanks!
    • hi boombuia,
      ive planned something similar like you, but I have never implemented it... I found this article a while ago, maybe it helps.
      You should rethink your idea, to us ftp for remote file access. its a very unsafe, old protocol.
      I'm using nextcloud (docker) to access and share my files to various clients and I'm pretty happy with it. But maybe thats another use case.

      p.parker
      Odroid HC1 | HGST Travelstar 7K1000 | OMV 4.1.23-1 (Arrakis) | 4.14.94-odroidxu4
    • boombuia wrote:

      hello,

      The idea is to prevent access to personal information in case of a theft. Even if the drive is automatically unlocked, you would still need to login to the NAS to get access to the files, right? and if the drive is removed from the case, it would be encrypted. So I will look into crypttab for this purpose, thanks for the pointer.

      But perhaps I need to learn how others are dealing with drive encryption, as there might be an easier way for my use case.

      I am planning to access the NAS from remote locations via FTP - but maybe I can use another method, which could allow me to run a script remotely to unlock and mount the drive only when needed? I need this to be "wife" ready, so automation is key.

      thanks!
      VeraCrypt.... :/
    • boombuia wrote:

      The idea is to prevent access to personal information in case of a theft. Even if the drive is automatically unlocked, you would still need to login to the NAS to get access to the files, right? and if the drive is removed from the case, it would be encrypted.
      With access to the hardware, it takes <15 minutes to change the root password.
      And then the key is stored and all data available to the thief.

      Greetings,
      Hendrik
    • boombuia wrote:

      hello,

      The idea is to prevent access to personal information in case of a theft. Even if the drive is automatically unlocked, you would still need to login to the NAS to get access to the files, right? and if the drive is removed from the case, it would be encrypted. So I will look into crypttab for this purpose, thanks for the pointer.

      But perhaps I need to learn how others are dealing with drive encryption, as there might be an easier way for my use case.

      I am planning to access the NAS from remote locations via FTP - but maybe I can use another method, which could allow me to run a script remotely to unlock and mount the drive only when needed? I need this to be "wife" ready, so automation is key.

      thanks!
      the root drive isn’t encrypted, if the keys are stored there is just matter of reading the crypttab to know where they are. What makes you think they are going to boot the actual os, any educated Tech user would just plug the root hdd into another station to see what is dealing with.
      New wiki
      chat support at #openmediavault@freenode IRC | Spanish & English | GMT+10
      telegram.me/openmediavault broadcast channel
      openmediavault discord server
    • Are you sure? Is the only threat model the physical theft of a data disk? What about online penetration?
      I would be more concerned with online threats than with physical theft, although you should protect yourself against this.

      Everything comes to the question of what data and how and when it must be available. Do they need to be decrypted on the NAS? Can you transfer this vector to the user's destination machine?
      If the data does not have to be directly available on the NAS, I would personally consider the encrypted container. Which always remains encrypted on the NAS at all times. No matter whether the physical or online threat the data is always encrypted. And the entire decryption process takes place only on the user's target machine. In this way, you eliminate the consequences of online penetration and data leakage, which is not protected by disk encryption.
      Since you are afraid of data leakage through physical theft, you should be even more afraid of an online leak that is more likely to occur.
      On NAS, the encrypted veracrypt container which you mount on your machine via smb / nfs. In this way, the only place of data leakage when it is decrypted is the user's machine. Which limits the attack vectors and the amount of time the data is exposed to leakage.

      imho