Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Seeking feedback - location locked encrypted personal NAS
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Seeking feedback - location locked encrypted personal NAS

adamzadamz Member
edited March 2019 in General

I would like to get feedback about project, but if you criticize, please make a constructive comment rather than just saying "this is dumb".

Task was to create simple backup NAS secure against theft. The HDD is encrypted and no user input should be needed to boot while at premises, but when removed from premises, it must not boot. This is a personal NAS, data has no business value, hence protection is against simple grab&run thief.

NAS is Raspberry Pi 3B with 2.5" 4TB USB drive. Jumped 5V rail to USB5V line because HDD was audibly cycling when powered by USB2 only. Total working power was measured between 2.5-5W depending on the workload, which I find impressive. Speed is not that impressive, around 8-10MB/s, but it was expected using the RPi3, which sports 100Mbps Ethernet and USB2 only.

Now to the security and this is where I seek the input. The USB drive is encrypted using 25 character password stored inside boot script located in /root/secure.img file mounted as /root/secure folder at the boot-time. This /root/secure.img file is encrypted using MAC address of the main WiFi router. I understand this is Achilles heal of the project, if thief steals all three devices (Pi, HDD, router) and keeps them together, NAS will happily boot. Ideally there should be a well hidden device on the network that would provide key pair over secure channel on boot (e.g. ESP8266), but I was visiting, in a hurry and did not have such device on hand.

Btw. I can log-in remotely and mount HDD manually in case it wont complete the boot.

Thanked by 1loyd

Comments

  • dfroedfroe Member, Host Rep

    Not saying "this is dumb", but probably a bit.. risky? :)

    What happens if a power outage happens and my wifi router dies...?

    You could maybe do an ARP scan of your LAN and decrypt your key with a concatenation of n-1 MAC addresses which requires multiple key slots to decrypt your master key. But it will give you some kind of "redundancy". :)

    You could also place the key file on another device in your LAN and for example retrieve it via TFTP/SSH during boot. Maybe you'll find a smart place to hide this keyring.

    Just some thoughts before falling asleep, leaving the place for others with more smart ideas. :wink:

    Thanked by 2eol adamz
  • eoleol Member

    For the thief, you could store a duplicate machine (backup) in the basement (powerlan).
    Alternatively a VPS somewhere.

    Like already mentioned you could improve offline data retrieval.

    Also you could upgrade to USB3.0 and 1 Gbps.

    Additionally (and that's my personal favourite) you could do nothing.

    My 20 euros.

    Thanked by 1adamz
  • adamzadamz Member

    @eol said:
    Also you could upgrade to USB3.0 and 1 Gbps.

    Have yet to find a reliable embedded device with such specs. Had Odroid XU4, and it would copy few GB and then freeze up. There were other problems too. Have few Orange Pis in the drawer that I did not seriously test yet. On another hand I have built quite a few projects with Raspberries and you set them up and they work for months or even years without requiring any attention. Perhaps Raspberry Pi 4 will have 1Gbps and USB3.

    Thanked by 2eol loyd
  • eoleol Member

    Ok.
    Didn't knew the XU4 is that unreliable.

  • KuJoeKuJoe Member, Host Rep

    I find ODroid so much better than Raspberry Pi's in terms of performance, stability, and reliability. I have a handful of Raspberry Pi's but they would all lose network connection after 24-48 hours (Raspberry Pi B+, 2, and 3). As for my ODroids, my XU4 (NAS) and my C1 (server) have never gone offline unexpectedly. My Raspberry Pis mostly collect dust except my Zero-W that I use for gaming sometimes, ODroids just win hands down.

    I read that the Raspberry Pi 4 is going to have a 1Gbps port but it'll be limited to 300Mbps since it'll be using the USB 2.0 bus still.

    The Orange Pi is the best non-ODroid alternative that I've tested.

    Thanked by 2eol uptime
  • uptimeuptime Member
    edited March 2019

    @adamz said:
    Had Odroid XU4, and it would copy few GB and then freeze up

    That's the one that often comes with a fan and heatsink mounted?

    Aggressively throttling CPU clock for has historically been the go-to for thermal management on raspberry pi boards.

    Some of the older Allwinner CPU-based boards (orange pi etc) would (alternatively) shut down cores to cool off under load ...

    Point being make sure your boards aren't overheating. They'll run faster and hopefully last longer.

    Cheapest reliable board I've found with usb-3 is the espressobin - $50 with gigabit ethernet and a Marvell ARMADA cpu which tends to run hot but is pretty solid. An external 8 TB disk via usb-3 has been getting better than 20 MB/s write speed (raw speed, haven't tried with LUKS) - could always do sata with ssd for more speed but haven't yet felt the need.

    There are a few other options for usb-3 since the espressobin came out (over a year ago) but that's the one I've been using long enough to vouch for.

    As for the location locking aspect ... no ideas from a quick read, but seems like some grist for the mill on the Schneier blog - there is an open-topic post on Fridays.

    It may be prudent to brush up on Bruce Schneier facts before posting questions there. ("Bruce Schneier factors integers in constant time" etc.)

    And assume he and all commenters there work for or are otherwise coopted by the NSA, but that shouldn't be an issue for your use case.

    Serverfault might be another venue to field your question.

    I'm guessing you might get some more better low-end feedback on your setup here as well.

    Thanked by 1eol
  • eoleol Member

    The Orange Pi PC/Allwinner H3 will even run Slackware ARM afaik.

    Thanked by 1uptime
  • @eol said:
    The Orange Pi PC/Allwinner H3 will even run Slackware ARM afaik.

    also OpenBSD

    just noticed OpenBSD runs on some nice ARM64 critters too.

    Thanked by 1eol
  • "this is elaborate"

    If I were you probably lock is enough to just prevent simple run and grab thief. If there is nothing valuable in the hdd, the thief will just format the hdd. Which makes the encryption pretty much useless.

  • WolfWolf Member

    "this is dumb"

    Thanked by 1eol
Sign In or Register to comment.