Re: Encrytion on a QNAP
On Tue, 2014-06-24 at 22:25 +0100, Tim Fletcher wrote: On 24/06/14 18:56, Ian Campbell wrote: On Tue, 2014-06-24 at 17:18 +0200, Lee Williams wrote: Hello, since I have to reinstall my NAS on a new HDD, I thought it would be a good idea to set up encryption this time. But I'm not sure how exactly I should start on this. I think the standard way to do this is using the dm-crypt facilities built into the Debian installer. Now, will this work with a headless machine where I can't enter anything on boot time? That was my thought too. Out of the box? Probably not. Pretty much: apt-get install dropbear ; update-initramfs -k all -u http://blog.neutrino.es/2011/unlocking-a-luks-encrypted-root-partition-remotely-via-ssh/ Wow. I'm once again impressed by Debian's flexibility! Someone really has thought of everything! Ian. -- To UNSUBSCRIBE, email to debian-arm-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/1403679639.1829.41.ca...@dagon.hellion.org.uk
Encrytion on a QNAP
Hello, since I have to reinstall my NAS on a new HDD, I thought it would be a good idea to set up encryption this time. But I'm not sure how exactly I should start on this. I think the standard way to do this is using the dm-crypt facilities built into the Debian installer. Now, will this work with a headless machine where I can't enter anything on boot time? If it's possible to disable SWAP and encrypt /home, could it be mounted remotely after boot? And what about services that run on those volumes, they should surely start after the mount, shouldn't they? Finally, is this even a good idea? Will it cost too much performance? I'm using a TS-119 and am not sure if any crypto would be accelerated. Thanks, Lee
Re: Encrytion on a QNAP
On Tue, 2014-06-24 at 17:18 +0200, Lee Williams wrote: Hello, since I have to reinstall my NAS on a new HDD, I thought it would be a good idea to set up encryption this time. But I'm not sure how exactly I should start on this. I think the standard way to do this is using the dm-crypt facilities built into the Debian installer. Now, will this work with a headless machine where I can't enter anything on boot time? That was my thought too. Out of the box? Probably not. If it's possible to disable SWAP and encrypt /home, The installer will allow this I think (you'll need to ignore the warning about no swap) could it be mounted remotely after boot? You'd likely have to arrange for all that yourself and you'd be going pretty far of the beaten track I think, which probably means hacking something up yourself (even after googling for prior art would be my guess) but if you are willing to spend the time making it work it ought to be possible in theory. And what about services that run on those volumes, they should surely start after the mount, shouldn't they? They would certainly normally start after the mount, but if you were deferring the mount somehow then you might need to arrange to defer those services too. Or otherwise to stall the boot process until things were remotely enabled somehow. Finally, is this even a good idea? Will it cost too much performance? I'm using a TS-119 and am not sure if any crypto would be accelerated. TS-119 is kirkwood based I think, so there is some hardware acceleration (md5, sha-1, aes) and an associated kernel driver (mv_cesa). I don't know to what extent that is useful for dm-crypt etc though (md5 obviously not so much ;-)). Ian. -- To UNSUBSCRIBE, email to debian-arm-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/1403632594.1829.25.ca...@dagon.hellion.org.uk
Re: Encrytion on a QNAP
On Tue, Jun 24, 2014 at 7:56 PM, Ian Campbell i...@hellion.org.uk wrote: On Tue, 2014-06-24 at 17:18 +0200, Lee Williams wrote: Lee, are you on the list or should we continue to cc? Hello, since I have to reinstall my NAS on a new HDD, I thought it would be a good idea to set up encryption this time. But I'm not sure how exactly I should start on this. I think the standard way to do this is using the dm-crypt facilities built into the Debian installer. Now, will this work with a headless machine where I can't enter anything on boot time? That was my thought too. Out of the box? Probably not. If you have serial console, it will work OOTB. I've done it on the SheevaPlug and it worked just fine entering the passphrase on the console. If it's possible to disable SWAP and encrypt /home, The installer will allow this I think (you'll need to ignore the warning about no swap) You can encrypt swap too, but you use the option to generate a random key at every boot (the option is available in the installer). There are plenty of guides around, just Google it. could it be mounted remotely after boot? You'd likely have to arrange for all that yourself and you'd be going pretty far of the beaten track I think, which probably means hacking something up yourself (even after googling for prior art would be my guess) but if you are willing to spend the time making it work it ought to be possible in theory. I've done this too, and it's not even hard. What you do is put dropbear in the initrd so you can ssh to the box pre-boot-time and enter the passphrase. Look e.g. at https://www.google.com/search?q=dropbear%20in%20initrd And what about services that run on those volumes, they should surely start after the mount, shouldn't they? They would certainly normally start after the mount, but if you were deferring the mount somehow then you might need to arrange to defer those services too. Or otherwise to stall the boot process until things were remotely enabled somehow. Finally, is this even a good idea? Will it cost too much performance? I'm using a TS-119 and am not sure if any crypto would be accelerated. TS-119 is kirkwood based I think, so there is some hardware acceleration (md5, sha-1, aes) and an associated kernel driver (mv_cesa). I don't know to what extent that is useful for dm-crypt etc though (md5 obviously not so much ;-)). If you use the installer, as I have, your performance will suffer severely. I used it for a torrent box, which was fine, but if you e.g. plan to stream HD content it's another story completely. I never tried custom kernels or the like. Good luck Björn Ian. -- To UNSUBSCRIBE, email to debian-arm-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/1403632594.1829.25.ca...@dagon.hellion.org.uk