We recently had a break-in and found out about it when we were far from home. I worried about many things, among them the unencrypted files on my home NAS. Not that I have any state secrets buried, but the thought of having private e-mails, photos and so on in the hands of criminals just felt wrong. Fortunately the thieves left my computers, so I decided to do something about it.
I have an old NAS with FreeBSD 0.7.2 (no longer available) running FreeBSD 7. It does support encryption, albeit a bit manually. First I had to create a geli encryption key on the USB boot device:
umount /cf mount -o rw /dev/da0a /cf mkdir /cf/boot/keys dd if=/dev/random of=/cf/boot/keys/nas.key bs=128k count=1
Next I destroyed the partition on the first disk to go and configured it for encryption with geli:
dd if=/dev/zero of=/dev/ad10 bs=512 count=10 geli init -b -K /cf/boot/keys/nas.key -s 4096 -l 256 /dev/ad10 geli attach -k /cf/boot/keys/nas.key /dev/ad10
Repeat with other drives (ad8 in this case) and create a mirror:
zpool create -m none nas-pool1 mirror /dev/ad10.eli /dev/ad8.eli
/cf/boot/loader.conf to enter the passphrases at boot time:
geli_ad8_keyfile0_load="YES" geli_ad8_keyfile0_type="ad8:geli_keyfile0" geli_ad8_keyfile0_name="/boot/keys/nas.key" geli_ad10_keyfile0_load="YES" geli_ad10_keyfile0_type="ad10:geli_keyfile0" geli_ad10_keyfile0_name="/boot/keys/nas.key"
Reboot and make sure it works, then add additional drives and resilver. Peace of mind restored!
I use encrypted USB disks for my personal backups. When I tried to mount a disk on a CentOS 6 host recently it failed. What had happened? It turned out that I had used the default options for cryptsetup and the defaults changed between the versions used in CentOS 5 and 6. To fix the problem I simply had to specify the old default values:
cryptsetup create -c aes-cbc-plain -s 256 -h ripemd160 usbbackup /dev/sdd
Perhaps it is better to avoid defaults anyway.