[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Encrytion on a QNAP

On Tue, Jun 24, 2014 at 7:56 PM, Ian Campbell <ijc@hellion.org.uk> wrote:
On Tue, 2014-06-24 at 17:18 +0200, Lee Williams wrote:

Lee, are you on the list or should we continue to cc? 

> Hello,
>
>
> since I have to reinstall my NAS on a new HDD, I thought it would be a
> good idea to set up encryption this time. But I'm not sure how exactly
> I should start on this.
>
>
> I think the standard way to do this is using the dm-crypt facilities
> built into the Debian installer. Now, will this work with a headless
> machine where I can't enter anything on boot time?

That was my thought too. Out of the box? Probably not.

If you have serial console, it will work OOTB. I've done it on the SheevaPlug and it worked just fine entering the passphrase on the console.

 

> If it's possible to disable SWAP and encrypt /home,

The installer will allow this I think (you'll need to ignore the warning
about no swap)

You can encrypt swap too, but you use the option to generate a random key at every boot (the option is available in the installer). There are plenty of guides around, just Google it.
 

>  could it be mounted remotely after boot?

You'd likely have to arrange for all that yourself and you'd be going
pretty far of the beaten track I think, which probably means hacking
something up yourself (even after googling for prior art would be my
guess) but if you are willing to spend the time making it work it ought
to be possible in theory.

I've done this too, and it's not even hard. What you do is put dropbear in the initrd so you can ssh to the box pre-boot-time and enter the passphrase. Look e.g. at https://www.google.com/search?q=dropbear%20in%20initrd
 

>  And what about services that run on those volumes, they should surely
> start after the mount, shouldn't they?

They would certainly normally start after the mount, but if you were
deferring the mount somehow then you might need to arrange to defer
those services too. Or otherwise to stall the boot process until things
were remotely enabled somehow.

> Finally, is this even a good idea? Will it cost too much performance?
> I'm using a TS-119 and am not sure if any crypto would be accelerated.

TS-119 is kirkwood based I think, so there is some hardware acceleration
(md5, sha-1, aes) and an associated kernel driver (mv_cesa). I don't
know to what extent that is useful for dm-crypt etc though (md5
obviously not so much ;-)).

If you use the installer, as I have, your performance will suffer severely. I used it for a torrent box, which was fine, but if you e.g. plan to stream HD content it's another story completely. I never tried custom kernels or the like.

Good luck
Björn
 

Ian.


--
To UNSUBSCRIBE, email to debian-arm-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: [🔎] 1403632594.1829.25.camel@dagon.hellion.org.uk" target="_blank">https://lists.debian.org/[🔎] 1403632594.1829.25.camel@dagon.hellion.org.uk


Reply to: