NAS with data Encryption

[j.w.stephenson]

I am looking at purchasing a NAS, i've been looking at the Synology
407e, Buffalo TeraStation Live and the Infrant ReadyNAS NV+ . My
problem is that none of these or any others boxes that I can find
supoprt native encryption and I want to be able to encrypt some if not
all of the data stored on the NAS.

I currently use TrueCrypt 4.3 on my PC and am very happy with it and
wanted to hear from anyone that currently has a working solution for
encrypting NASs.

My concern about using TrueCrypt or similar is that I don't see how I
could use the built-in media server on the NAS to stream to my network
media player as TrueCrypt's encryption is done client-side.

Any ideas?

Thanks.

 

[Arno Wagner]

I am looking at purchasing a NAS, i've been looking at the Synology
407e, Buffalo TeraStation Live and the Infrant ReadyNAS NV+ . My
problem is that none of these or any others boxes that I can find
supoprt native encryption and I want to be able to encrypt some if not
all of the data stored on the NAS.

I currently use TrueCrypt 4.3 on my PC and am very happy with it and
wanted to hear from anyone that currently has a working solution for
encrypting NASs.

My concern about using TrueCrypt or similar is that I don't see how I
could use the built-in media server on the NAS to stream to my network
media player as TrueCrypt's encryption is done client-side.

Any ideas?

You need to think about the functionality first: Do you want
the NAS to encrypt (and have the keys in its memory) or do you
want to encrypt on the client? Second case: just use an ordinary NAS.

First case: Since the NAS cannot tell what should be encrypted and
what not, that is likely a case for whole disk or at least
partition encryption. Advantage: Everything is encrypted.
Disadvantage: If somebody gets access to the device without
shutting it doen, then they can read everything.

Solution for an encrypted NAS would be, e.g., a Linux server
with LUKS. I have no idea whether there are ''media servers''
for Linux though.

Arno

 

[j.w.stephenson]

You need to think about the functionality first: Do you want

the NAS to encrypt (and have the keys in its memory) or do you
want to encrypt on the client? Second case: just use an ordinary NAS.

If I encrypt on the client then how will I be able to stream video
from the NAS to a network media player (I have the Buffalo
LinkTheater) the Network Media Player will not be able to decrypt the
data that it is receiving? All NASs that I mentioned above come with a
built-in UPnP software to facilitate streaming of audio/video over the
network, such as Buffalo's Mediabolic software and I want to be able
to utilise that functionality.

If the NAS handled the encryption itself I woud be happy with that, a
dedicated controler for the encrypt/decrypt would be nice.

First case: Since the NAS cannot tell what should be encrypted and
what not, that is likely a case for whole disk or at least
partition encryption. Advantage: Everything is encrypted.
Disadvantage: If somebody gets access to the device without
shutting it doen, then they can read everything.

I am happy with that risk, I have other measures in place to mitigate
that.

Solution for an encrypted NAS would be, e.g., a Linux server
with LUKS. I have no idea whether there are ''media servers''
for Linux though.

Arno

I would like to procure a commerically available box if possible
rather than building my own. There is firmware available for both the
Terastation and Synology that allow SSH access so modifications should
not be a problem.

Apologies, media servers = UPnP servers.

Thanks for your quick response.

 

[Arno Wagner]

If I encrypt on the client then how will I be able to stream video
from the NAS to a network media player (I have the Buffalo
LinkTheater) the Network Media Player will not be able to decrypt the
data that it is receiving?
Right.

All NASs that I mentioned above come with a
built-in UPnP software to facilitate streaming of audio/video over the
network, such as Buffalo's Mediabolic software and I want to be able
to utilise that functionality.

Ok, So you want transparent encryption on the NAS.

If the NAS handled the encryption itself I woud be happy with that, a
dedicated controler for the encrypt/decrypt would be nice.

I am happy with that risk, I have other measures in place to mitigate
that.
Ok.

I would like to procure a commerically available box if possible
rather than building my own. There is firmware available for both the
Terastation and Synology that allow SSH access so modifications should
not be a problem.

Ok, if you want LUKS or verbatim dm-crypt, then you need two things:

1) The kernel must be compiled with dm-crypt support. No way around
that. The options are under RAID support, device mapper,
crypt target.

2) You need the userspace-tools. Basically that is cryptsetup or
cryptsetup-LUKS.

The latter is available from http://luks.endorphin.org/
I would advide to go with LUKS. A lot of docu on the site as well.

The way this works is as follows: Insetad of directly mounting
the disk/partition, it is first mapped through the devece mapper
(dm) with the crypto target (dm-crypt). The decrypted
device is then mapped to a pseudo-device, e.g. /dev/mapper/d1.
This one behaves just like a normal disk or partition for all
practical purposes.

One problem you may run into is performance. Strong
crypto is CPU intensive. Might still be enough, though.

Another problem is that you will have to get the development
system for the Limux installation of the NAS, since you have to
both compile kernel and the tools. Somebody might already have
done this, BTW. Places to look are http://www.terastation.org/wiki/Hacking
for help on hacking the Terrastation, unfortunately theu do not do
server side encryption. Similar info should be on the web for
other Linux-based NASes.

Expect this to be a non-trivial project, though.

Apologies, media servers = UPnP servers.

I see.

Thanks for your quick response.

No problem.

Arno

 

[j.w.stephenson]

Ok, So you want transparent encryption on the NAS.


Ok, if you want LUKS or verbatim dm-crypt, then you need two things:

1) The kernel must be compiled with dm-crypt support. No way around
that. The options are under RAID support, device mapper,
crypt target.

2) You need the userspace-tools. Basically that is cryptsetup or
cryptsetup-LUKS.

The latter is available fromhttp://luks.endorphin.org/
I would advide to go with LUKS. A lot of docu on the site as well.

The way this works is as follows: Insetad of directly mounting
the disk/partition, it is first mapped through the devece mapper
(dm) with the crypto target (dm-crypt). The decrypted
device is then mapped to a pseudo-device, e.g. /dev/mapper/d1.
This one behaves just like a normal disk or partition for all
practical purposes.

One problem you may run into is performance. Strong
crypto is CPU intensive. Might still be enough, though.

Another problem is that you will have to get the development
system for the Limux installation of the NAS, since you have to
both compile kernel and the tools. Somebody might already have
done this, BTW. Places to look arehttp://www.terastation.org/wiki/Hacking
for help on hacking the Terrastation, unfortunately theu do not do
server side encryption. Similar info should be on the web for
other Linux-based NASes.

Expect this to be a non-trivial project, though.


I see.


No problem.

Arno

OK change of tact, can you (or anyone else) recommend an afforable
(Max USD$1,200) RAID 5 SATA/IDE USB Enclosure? Needs to have a minimum
5 disk bays. Something like this http://www.cooldrives.com/8hadrusb20ra.html
would be great but it doesn't support RAID 5.

 

[j.w.stephenson]

OK change of tact, can you (or anyone else) recommend an afforable
(Max USD$1,200) RAID 5 SATA/IDE USB Enclosure? Needs to have a minimum
5 disk bays. Something like thishttp://www.cooldrives.com/8hadrusb20ra.html
would be great but it doesn't support RAID 5.- Hide quoted text -

- Show quoted text -

Thinking about it I guess i could buy the above and use software RAID
5, has anyone tried this?

 

[Arno Wagner]

Thinking about it I guess i could buy the above and use software RAID
5, has anyone tried this?

I have about 6 TBs in two RAID5 and one RAID6 under Linux. No
issues at all. You could do that with USB as well, using Limux
RAID auto-detection it does not matter as which disk a disk shows
up. The disks will also be assembled into the same RAID device
each time. Speed would be pretty slow though, is my guess.
Maybe 10MB/s reading and 5-7MB/s writing. But that is just a WAG.
Could be better or worse. USB is a pretty slow bus.

Arno

 

[j.w.stephenson]

I have about 6 TBs in two RAID5 and one RAID6 under Linux. No
issues at all. You could do that with USB as well, using Limux
RAID auto-detection it does not matter as which disk a disk shows
up. The disks will also be assembled into the same RAID device
each time. Speed would be pretty slow though, is my guess.
Maybe 10MB/s reading and 5-7MB/s writing. But that is just a WAG.
Could be better or worse. USB is a pretty slow bus.

Arno- Hide quoted text -

- Show quoted text -

Who's enclosure do you use? I'm looking for one that can take between
5-8 drives and isn't too expensive. The theoretical data transfer rate
of USB 2.0 is 480Mbps which should sufficient for my needs.

 

[Arno Wagner]

Who's enclosure do you use? I'm looking for one that can take between
5-8 drives and isn't too expensive.

The disks are hard-mounted in a server case. No enclosures.

The theoretical data transfer rate
of USB 2.0 is 480Mbps which should sufficient for my needs.

Yes, but RAID requires very fast switchover between devices. USB does
not do so well on that. But I really have no hard data on the
speed.

Arno

 

[j.w.stephenson]

The disks are hard-mounted in a server case. No enclosures.


Yes, but RAID requires very fast switchover between devices. USB does
not do so well on that. But I really have no hard data on the
speed.

Arno- Hide quoted text -

- Show quoted text -

OK decided to throw more money are this. Going to go for this:
http://www.cooldrives.com/eidrrerasaii.html i'm struggling to find a 2-
port multilane raid (5) adapater though, any ideas?

 

[Arno Wagner]

OK decided to throw more money are this. Going to go for this:
http://www.cooldrives.com/eidrrerasaii.html i'm struggling to find a 2-
port multilane raid (5) adapater though, any ideas?

I think this enclosure is a good choice.

Just get either a normal SATA adapter or a normal SATA RAID controller
and the multilant-to-single lane splitter (multilane is electrically
identical to several single lane cables, just mechanically they are
combined) they advertise here: http://www.cooldrives.com/sapciadsaian.html
You would need two of these.

Personally I would go with one or two normal SATA adapters and
software RAID. At least under Limux software RAID is very reliable
and reasonable fast. The advantage is that you do not need to keep
a spare controller (in case of controller failure), because you can
move the drives to any computer with enough SATA interfaces and
access the RAID there. If a hardware controller fails, you cannot
be sure that a compatible controller is still available.

As for controllers, I made quite good experiences with
Promise SATA150 TX4 under Linux. You can use more than one of
these in a computer. In fact I have an 8 disk SATA RAID on
a pair of these.

Arno