security - Is it possible to have low level encryption on the disks of a Synology Disk Station DS213J (NAS)?
2014-04
André Christoffer Andersen
I know I can encrypt shared folders, but unfortunately not the home/homes folder. All I want is that if my NAS is stolen than all data is unusable. I don't need to have different encryption for each user, just a collective one which I manage. I know that TrueCrypt and (I think) Windows with BitLocker can encrypt the disk before you enter the OS. I was thinking the OS of my Disk Station NAS could do something similar.
The device in question is Synology DS213J.
Marki
I don't think this can be easily done on a Synology.
You probably have to encrypt on the client. I am for example using a dedicated user to perform backups to the synology (into that user's homedir). I am using duplicity which can do exactly that.
thomasrutter
In the interests of protecting personal info in case a laptop gets stolen, I'm looking for the best way to encrypt a Linux system.
Disadvantages of whole disk encryption including swap:
- Pre-boot password prompt is kind of ugly and unpolished, appearing hidden amongst the boot messages (can something like Splashy handle this?)
- Need to log in twice (if you have a GDM login screen and need multiple users)
Disadvantages of individual folder encryption using libpam-mount or similar:
- Only the user's home folder is encrypted (whereas /etc, /var etc might contain sensitive information too).
- Swap file isn't encrypted, so likely to be leakage of sensitive data in there
- No way to securely hibernate.
I'm using Debian Linux if it matters. Doesn't need to be ridiculously secure, but want peace of mind that a thief cannot steal my identity, bank account details, VPN logins etc. if it is stolen while off/hibernating.
Do you know of ways to solve any of my above problems?
lorenzog
Your problem is a common one: mainly, the difficult balance between security and usability.
My suggestion is to use a slightly modified version of a mixed approach:
- using cross-platform software like TrueCrypt prepare one or more encrypted volumes for your personal data that you DO NOT use daily (bank details, saved passwords, medical records, etc)
- the reason to use more than one volume is that you might want to back them up on different media, or use different encryption schemes: for example, you might want to share your health records with somebody else and tell them your passphrase (which should be different for the one used for other volumes)
- using a "standard" cross-platform software means you'll be able to recover your data from another OS on-the-fly, if your laptop is stolen/damaged
- whole-disk encryption is often cumbersome and difficult. Although there are attacks for it (see the Evil Maid Attack it turns out to be useful if you're afraid of what could happen if people have access to the whole system. For example, if you're using a company laptop, have no administrative access and there are VPN keys that should not get stolen
- cached passwords for mail/web/apps are another issue: perhaps you might want to encrypt only your home directory? To optimize performance and security/usability you could:
- encrypt all home dir
- softlink to a non-encrypted directory on your filesystem for data you don't care about losing (music, video, etc)
Again, do not forget that everything boils down on the value of what you have to lose, compared to the value of your time and cost of recovery.
chinmaya
I don't encrypt the whole hard drive, its just too much of admin/management thingie.
So I use dm-encrypt to crate a logical encrypted partition.
I crated a script around it, which I use daily, see if it helps you. I call this under .bashrc
Maciek Sawicki
You can use pend drive for storing encryption keys. For best security it should be password protected but it doesn't have to.
http://loop-aes.sourceforge.net/loop-AES.README look at example 7.
Scott McClenning
I'm still relatively new to Linux, but I thought when you when to install the system there was a way to turn on whole-disk encryption. Also, TrueCrypt has a .deb package.
I hadn't used disk encryption on Linux yet, so perhaps these options have problems like you describe above. As far as the multiuser logon, perhaps TrueCrypt can be setup to use a key file on a USB drive. That way all you need is the laptop and the USB drive to access the files on the laptop.
I'm still learning Linux myself, so I hope this helps.
dag729
I'm interested in this too and searching for a good answer I found this from tldp(it seems a bit outdated, but it might teach us something useful), this from tldp as well, and from sourceforge this.
I'll give a try at loop-aes from Sourceforge, for it seems the choice that better fits my needs.
Hope that helps,
Regards
Charles Stewart
What are you worried about? What attack vectors? Before you can get serious about security, you have to have answers to these two questions.
"Personal info" suggests that you are worried about things like identity theft, casual snoopers, &c. Something like keychain software is enough to protect bank login details, &c, but is impractical for large amounts of information.
If you have a lot of data you want to protect, information that you don't need fast access to, and for which you are willing to pay a small recurring free, then then Amazon's S4 is a good option, totally removing worries about physical access, so that security is reduced to key management, which, again, is adequately solved by keychain software. Amazon don't see the contents of what you store this way, but only the encrypted result. Of course this means that if you mess up and lose the keys, Amazon can't help you.
In the third case case, where you want relatively fast access to a large amount of data, I recommend using not whole disk encryption, but whole partition encryption, per chinmaya's suggestion. Per directory encryption is a nuisance, and I don't recommend it: get the filing system to do the work.