Forgot your password?
typodupeerror
Data Storage Operating Systems BSD

Building a Fully Encrypted NAS On OpenBSD 196

Posted by kdawson
from the peace-of-mind dept.
mistermark writes "Two years ago this community discussed my encrypted file server. That machine has kept running and running up until a failing drive and a power outage this last week. So, it's time to revise everything and add RAID to it as well. Now you can have an on-the-fly encrypting/decrypting NAS with the data security of RAID, all in one. Here is the how-to."
This discussion has been archived. No new comments can be posted.

Building a Fully Encrypted NAS On OpenBSD

Comments Filter:
  • Re:OK (Score:1, Informative)

    by Anonymous Coward on Monday July 16, 2007 @12:02AM (#19873075)
    Network Attached Storage
  • freenas... (Score:5, Informative)

    by Tmack (593755) on Monday July 16, 2007 @12:46AM (#19873301) Homepage Journal
    Meh...

    1. download FreeNAS [freenas.org]
    2. install to USB/CF drive (it needs ~32Mb)
    3. configure * reboot on the USB/CF drive (or if your mobo cant boot to those, maybe a CD or spare HD)
    4. ?
    5. Profit!

    Tm

  • Re:Already done (Score:3, Informative)

    by Architect_sasyr (938685) on Monday July 16, 2007 @01:28AM (#19873489)
    It does not. If we read through the article we do find, however, that the author suggests FreeNAS for a NAS, OR CryptoBox [cryptobox.org] for hardware encryption. IMHO neither solution leads to the extension into a full blown server that the OpenBSD option gives.

    My $0.02 AU
  • by Ayanami Rei (621112) * <rayanami@gmail . c om> on Monday July 16, 2007 @01:48AM (#19873571) Journal
    Use dm-crypt with LUKS in the aes-cbc-essiv:sha256 mode (should be the default). There are policy issues and known plaintext attacks against loop-AES unless you the multi-key setup which _isn't_ the default... by the times the issues were widely known people were using LUKS because key management is more flexible.
  • by kwark (512736) on Monday July 16, 2007 @03:26AM (#19873965)
    What! You are saying that Ubuntu doesn't do this on install? Even the Debian Installer has support for these kind of setups.
  • by Kryten107 (1128675) on Monday July 16, 2007 @03:49AM (#19874035)

    Hopefully in the coming years some open source projects will get started to do what Home server will be doing.
    Take a look here: http://www.ubuntuhomeserver.org/ [ubuntuhomeserver.org] Yes, I know, it's Ubuntu, but the point is that there are some people in the community that are trying to make it happen. Almost all the necessary services exist, it's just a matter of gluing them together and slapping a decent GUI on it.
  • Re:freenas... (Score:1, Informative)

    by Anonymous Coward on Monday July 16, 2007 @04:49AM (#19874255)
    I could not really find out whether FreeNAS supports encryption, but there is another FLOSS alternative: the CryptoBox project. It uses dmcrypt, is multi-user capable and has a nice Web GUI.


    http://cryptobox.org/ [cryptobox.org]

  • Suggestions (Score:4, Informative)

    by LuSiDe (755770) on Monday July 16, 2007 @05:50AM (#19874439)
    OpenBSD on a fileserver? Firewall, sure. Fileserver w/RAID and disk encryption, no way. I would leave that task to FreeBSD (FreeNAS) or Linux (CryptoBox, Openfiler). If you are desperate for encrypted FS + RAID you can use MD + LUKS (Linux) or GRAID5 + GELI (FreeBSD) those are all available via FreeNAS, CryptoBox, and Openfiles. Suffice to say both have proven their stability, have a rich set of features [wikipedia.org] (e.g. LRW), and are simple to set-up. The end-user NAS solutions are pretty sophisticated and have good web interfaces.

    20 MB/sec is quite a shit performance IMO however if you don't use gigabit it'd be good enough. With GELI there is about 55% overhead compared to plain text. I haven't compared LUKS to plain text hence can't compare. On a side note, I doubt its useful to encrypt data you're receiving from distributed areas, nor that its useful to put such data in a RAID. A NAS doesn't run BitTorrent. If you're paranoid whereas you share your data over SMB, that might be the weakest point.

    For our ricer folk, a nice, expensive RAID controller is necessary. For the smart people among this planet: do software XOR by getting an EE (or SFF) dual core AMD which are cheap and have a a low 10 idle W and have a low TDP (the SFF has 35W TDP). Get 4 Samsung SpinPoint T166 SATA (silent, low power, best bang for buck) and you have 1,5 TB RAID. All in all this costs about 650 EUR (probably less in USA) w/all hardware new including case, 2 * 1 GB RAM (2 * 0,5 GB would suffice too), and PSU. I should know, I bought and build such machine.

    Forget ZFS for now. OpenSolaris has bad hardware support, and it is only partly ported on FreeBSD 7.0-CURRENT where it isn't stable and a bug in it takes the whole system down. While it does have a rich set of features, it also doesn't support encryption yet, although the feature has been planned for a year and perhaps on FreeBSD it can be used together with GELI. Performance of ZFS is also not to write home about compared to GRAID5. ZFS isn't mature yet. Nor is FreeBSD 7.0-CURRENT, ofcourse. It'll be part of FreeBSD 7.0 however, as an experimental feature.
  • by CastrTroy (595695) on Monday July 16, 2007 @08:57AM (#19875231) Homepage
    Actually, Identical drives are in fact, not identical. What they are is built to the same specifications. They actually use different atoms and molecules to make up the components of the drive. They were most likely manufactured on different days, or at least at different times. If you took two drives from the same production line, and put them through the exact same usage, I imagine the probability of them both breaking within the same week to be somewhere close to zero, maybe even close to requiring the "Heart of Gold". I've never seen a corporate Raid setup that used different models of drives for drives in the same array, and have never heard of this being an issue.

The amount of weight an evangelist carries with the almighty is measured in billigrahams.

Working...