encryption options for ZFS plug-in

Hi!

I have just moved to OMV. I used two old DNS-32x devices and clearly it was time for them to go. So I have built a simple NAS with ASrock J3455M, 8Gb of RAM, modest PSU, 6-port PCIe x4 SATA card (with the name I cannot pronounce) and 5 drives + 1 small SSD for the OS. All in ATX mid-tower case, seems to be working fine. So far I love OMV, it may not look as fancy as FreeNAS but I prefer Linux to BSD and it seems it does just enough for me. Except one thing I have not yet decided how to do.

I have a few Gb of important documents (bills, statements etc) that I like to keep on my NAS to access from several computers at home + doing periodic backups to other locations. Before

I used to store an encrypted disk image (I use OS X) on my Samba share. It was not efficient but it worked and I had end-to-end encryption this way. Although, obviously, it was OS X - specific and mounting this sparse image from a Linux box would be probably not trivial. But I felt safe enough with it because if the physical drive was stolen, the bad guys would only see the non-confidential stuff stored on the drives.

Now I am wondering if I can do something more elegant with OMV. I do not need to encrypt the entire device, I actually need a relatively small encrypted filesystem on my ZFS mirror. And I would love to have it as simple as possible. It seems to me that I have the following options:

1. use command-line ZFS tools to create an encrypted dataset

2. use command-line ZFS tools to create a volume (device) and then probably use LUKS on top of it (there seems to be a plugin available for OMV for LUKS)

3. use something user-space, FUSE-based, with FUSE running on the OMV NAS itself, exposing this filesystem via Samba

4. use something user-space, FUSE-based, with FUSE running on the client machines - not sure how well it will work on Macs

I am wondering if someone here could recommend the best approach. I only want to encrypt a small amount of data and I would like to have this "share" to be accessible via Samba.

Thanks!

Quote from raulfg3

native encrytion is only available on ZFS 0.8.0 or newer, please revise version on OMV , I suspect that do not meet reqeriments.

https://wiki.archlinux.org/index.php/ZFS#Native_encryption

Well, on my OMV box:

# zfs --version

zfs-0.8.6-1~bpo10+1

zfs-kmod-0.8.6-1~bpo10+1

In the properties of the pools created via OMV UI I see that encryption support is available. So, I guess, the question is really about configuring it and seeing how OMV will behave if it cannot mount the filesystem until the key is provided...

Quote from crashtest

I'm running ZFS on two NAS boxes so, I'd like to ask, why do you want encryption?

I do not find the number of NAS boxes relevant I want encryption to encrypt the data worth encrypting

In short, I think I have found a solution that seems to be working transparently for OMV. The point is mainly to prevent one threat: reading my confidential documents stored on the NAS in case the physical drive is stolen (with the NAS ). Other security aspects: my network, external access, WiFi security and shared folder access control are, obviously, taken care of by using other measures.

1. Created AWS KMS encryption key (CMK). It is free under free tier.

2. Generated a random encryption key. Encrypted it with KMS. Stored the encrypted key on OMV box.

3. Created an encrypted dataset as follows (key was previously loaded in RAM)

zfs create -o encryption=on -o keyformat=raw -o keylocation=file:///dev/shm/my-key pool/dataset

4. Created a systemd unit as follows:

[Unit]
Description=Loads ZFS encryption keys
After=network-online.target
Wants=network-online.target
Requires=docker.service
After=zfs.target
Wants=zfs.target
Before=zfs-mount.service

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/local/sbin/load_zfs_keys.sh
TimeoutStartSec=120

[Install]
WantedBy=zfs-mount.service

5. The script does this

#!/bin/sh


AWS_CONFIG_DIR=/etc/aws
KEY_BLOB_PATH=/etc/aws/key_blob
KEY_ID_PATH=/etc/aws/enc_key_keyid

KEY_FILE=/dev/shm/my-key

echo "Retrieving the encryption key..."

docker run --rm -v /etc/aws:/root/.aws amazon/aws-cli \
    kms decrypt \
    --key-id $(cat $KEY_ID_PATH) \
    --ciphertext-blob $(cat $KEY_BLOB_PATH) \
    --output text \
    --query Plaintext | tr -d '\r\n' > $KEY_FILE

if [ $? != 0 ] ; then
    rm $KEY_FILE
    echo "Failed to retrieve the encryption key"
    exit 1
fi

echo "Successfully retrieved encryption key, path=$KEY_FILE, size="$(cat $KEY_FILE | wc -c)

echo "Reloading ZFS keys..."
zfs load-key -a

Seems to be working. Tested, rebooted several times. OMV has noticed the new ZFS "filesystem" (AKA dataset), asked to apply the configuration. Applied, it survived.

Obviosly, I have a copy of the encryption key in a safe place so should something happen, I can mount it manually.

The point of using AWS (you can do the same with other cloud providers) is to control the encryption key access. First, I can severely restrict access to the KEK and decrypt functionality to make sure it can be called only from my network. Next, should something happen, I can disable access to this KMS and this leaves the (stolen) system without any way to access the key (since it stored only the encrypted DEK).

Quote from crashtest

Other than an indication that I'm a long time ZFS user, it's not relevant. However, I was exposed to drive encryption at work, in times past, and it proved to be a huge PITA. If the slightest thing goes wrong with the filesystem, encryption might mean wiping the drive and rebuilding.

Here's to hoping you don't experience the down side of drive encryption and that you have 100% backup. (You may need it.)

That's not even a question. I have seen everything failing I believe in multiple backups on _different_ media/servers for the data that is worth it. BTW, I also have that encrypted dataset on a ZFS mirror. The main driver for having the encrypted dataset is to be able to access it from several machines, so a local encrypted storage was not an option.