Building a Fully Encrypted NAS On OpenBSD

mistermark writes "Two years ago this community discussed my encrypted file server. That machine has kept running and running up until a failing drive and a power outage this last week. So, it's time to revise everything and add RAID to it as well. Now you can have an on-the-fly encrypting/decrypting NAS with the data security of RAID, all in one. Here is the how-to."

Re:OK

[Anonymous Coward]

Network Attached Storage

freenas...

[Tmack]

Meh...

1. download FreeNAS [freenas.org]
2. install to USB/CF drive (it needs ~32Mb)
3. configure * reboot on the USB/CF drive (or if your mobo cant boot to those, maybe a CD or spare HD)
4. ?
5. Profit!

Tm

Re:Already done

[Architect_sasyr]

It does not. If we read through the article we do find, however, that the author suggests FreeNAS for a NAS, OR CryptoBox [cryptobox.org] for hardware encryption. IMHO neither solution leads to the extension into a full blown server that the OpenBSD option gives.

My $0.02 AU

Don't use loop-aes anymore.

[Ayanami Rei]

Use dm-crypt with LUKS in the aes-cbc-essiv:sha256 mode (should be the default). There are policy issues and known plaintext attacks against loop-AES unless you the multi-key setup which _isn't_ the default... by the times the issues were widely known people were using LUKS because key management is more flexible.

Re:Yawn... I prefer Ubuntu for this function

[kwark]

What! You are saying that Ubuntu doesn't do this on install? Even the Debian Installer has support for these kind of setups.

Re:His system is great and all but...

[Kryten107]

Hopefully in the coming years some open source projects will get started to do what Home server will be doing.

Take a look here: http://www.ubuntuhomeserver.org/ [ubuntuhomeserver.org] Yes, I know, it's Ubuntu, but the point is that there are some people in the community that are trying to make it happen. Almost all the necessary services exist, it's just a matter of gluing them together and slapping a decent GUI on it.

Re:freenas...

[Anonymous Coward]

I could not really find out whether FreeNAS supports encryption, but there is another FLOSS alternative: the CryptoBox project. It uses dmcrypt, is multi-user capable and has a nice Web GUI.

http://cryptobox.org/ [cryptobox.org]

Suggestions

[LuSiDe]

OpenBSD on a fileserver? Firewall, sure. Fileserver w/RAID and disk encryption, no way. I would leave that task to FreeBSD (FreeNAS) or Linux (CryptoBox, Openfiler). If you are desperate for encrypted FS + RAID you can use MD + LUKS (Linux) or GRAID5 + GELI (FreeBSD) those are all available via FreeNAS, CryptoBox, and Openfiles. Suffice to say both have proven their stability, have a rich set of features [wikipedia.org] (e.g. LRW), and are simple to set-up. The end-user NAS solutions are pretty sophisticated and have good web interfaces.

20 MB/sec is quite a shit performance IMO however if you don't use gigabit it'd be good enough. With GELI there is about 55% overhead compared to plain text. I haven't compared LUKS to plain text hence can't compare. On a side note, I doubt its useful to encrypt data you're receiving from distributed areas, nor that its useful to put such data in a RAID. A NAS doesn't run BitTorrent. If you're paranoid whereas you share your data over SMB, that might be the weakest point.

For our ricer folk, a nice, expensive RAID controller is necessary. For the smart people among this planet: do software XOR by getting an EE (or SFF) dual core AMD which are cheap and have a a low 10 idle W and have a low TDP (the SFF has 35W TDP). Get 4 Samsung SpinPoint T166 SATA (silent, low power, best bang for buck) and you have 1,5 TB RAID. All in all this costs about 650 EUR (probably less in USA) w/all hardware new including case, 2 * 1 GB RAM (2 * 0,5 GB would suffice too), and PSU. I should know, I bought and build such machine.

Forget ZFS for now. OpenSolaris has bad hardware support, and it is only partly ported on FreeBSD 7.0-CURRENT where it isn't stable and a bug in it takes the whole system down. While it does have a rich set of features, it also doesn't support encryption yet, although the feature has been planned for a year and perhaps on FreeBSD it can be used together with GELI. Performance of ZFS is also not to write home about compared to GRAID5. ZFS isn't mature yet. Nor is FreeBSD 7.0-CURRENT, ofcourse. It'll be part of FreeBSD 7.0 however, as an experimental feature.

Re:Been looking for something like this

[CastrTroy]

Actually, Identical drives are in fact, not identical. What they are is built to the same specifications. They actually use different atoms and molecules to make up the components of the drive. They were most likely manufactured on different days, or at least at different times. If you took two drives from the same production line, and put them through the exact same usage, I imagine the probability of them both breaking within the same week to be somewhere close to zero, maybe even close to requiring the "Heart of Gold". I've never seen a corporate Raid setup that used different models of drives for drives in the same array, and have never heard of this being an issue.