How do you use Truecrypt with NAS?

[BirdDad]

I was wondering if it would be possible to have a NAS that is encrypted by TC. How would I access the data on it if it is connected to my network?

 

[smakme7757]

Its really not a good idea. The best idea is to buy a nas supporting encryption.

I know people who have tried mounting an encrypted container from a NAS but it is prone to corruption and gets slow when its size goes over a few gigabytes.

 

[PrincessFrosty]

You could have a NAS that required a preboot password where every time it was booted it would need the truecrypt password, but from then on it was in the clear for every using connecting across the network.

Or you could have a regular NAS drive with truecrypt container files stored on it which people could mount across the network.

Ideally use built in encryption, however you have a very unusual attack surface with encryption on a shared resource since you want people on the network to get access to it, it's almost a pointless exercise anyway.

 

[BirdDad]

yeah but the NAS solutions out there that encrypt use AES which I don't trust.
I would like a solution that is open source.

 

[Elixer]

yeah but the NAS solutions out there that encrypt use AES which I don't trust.
I would like a solution that is open source.

Well...you could use truecrypt.
https://www.howtoforge.com/truecrypt_data_encryption

 

[matricks]

yeah but the NAS solutions out there that encrypt use AES which I don't trust.
I would like a solution that is open source.

I wonder if there are any encryption algorithms that have been analyzed more thoroughly than AES. And I wonder who might be after you.

FreeNAS is built on top of FreeBSD, and uses FreeBSDs GELI framework for encryption. It supports multiple algorithms, from geli(8) manpage:

Currently supported algorithms are: AES-XTS, AES-CBC, Blowfish-CBC, Camellia-CBC, 3DES-CBC, and NULL. The default and recommended algorithm is AES-XTS. NULL is unencrypted.

The FreeNAS GUI doesn't offer these choices, and presumably will only create AES-XTS encrypted volumes. You might be able to create them from the CLI to use other algorithms. If not, you can surely use FreeBSD directly instead of FreeNAS.

Ideally use built in encryption, however you have a very unusual attack surface with encryption on a shared resource since you want people on the network to get access to it, it's almost a pointless exercise anyway.

Protecting data from physical theft isn't that unusual, it's no different than people encrypting their laptops. Users with network access might not necessarily have physical access.

 

[BirdDad]

AES is unsecure, if the gov has a backdoor to it, it is just a matter of time before the criminals do also. What am I talking about? They ARE criminals.

 

[smakme7757]

AES is unsecure, if the gov has a backdoor to it, it is just a matter of time before the criminals do also. What am I talking about? They ARE criminals.

You do realise that AES is an open standard?

A backdoor is extremely unlikely and if there was one they would only use it in the most exceptional high profile cases. If word got out the game would be up. So even if they did have a backdoor - You're safe.


Also, food for thought - Old but a good read.
https://www.schneier.com/paper-twofish-final.pdf

 

[John Connor]

Yeah, AES is supported for Top Secret from what I read. It's supported by CPUs and is used for SSL. You can use a cascade of ciphers though, but that would slow things down. You can use TC to do a speed test on the different encryption schemes.

 

[unokitty]

Yeah, AES is supported for Top Secret from what I read. It's supported by CPUs and is used for SSL. You can use a cascade of ciphers though, but that would slow things down. You can use TC to do a speed test on the different encryption schemes.

Do you have a reference for that?

My perception is that AES is only authorized for use on sensitive but unclassified data. From FIPS 197:

This standard may be used by Federal departments and agencies when an agency determines that sensitive (unclassified) information (as defined in P. L. 100-235) requires cryptographic protection.

Other FIPS-approved cryptographic algorithms may be used in addition to, or in lieu of, this standard. Federal agencies or departments that use cryptographic devices for protecting classified information can use those devices for protecting sensitive (unclassified) information in lieu of this standard.

In addition, this standard may be adopted and used by non-Federal Government organizations. Such use is encouraged when it provides the desired security for commercial and private organizations.

Uno

 

[smakme7757]

Do you have a reference for that?

My perception is that AES is only authorized for use on sensitive but unclassified data. From FIPS 197:


Uno

I was under the impression that is was the primary reason for 3 key sizes. That 256 was to be used for top secret.

https://www.nsa.gov/ia/programs/suiteb_cryptography/

Advanced Encryption Standard (AES) Encryption FIPS Pub 197 128 bit keys for SECRET
256 bit keys for TOP SECRET

 

[unokitty]

I was under the impression that is was the primary reason for 3 key sizes. That 256 was to be used for top secret.

https://www.nsa.gov/ia/programs/suiteb_cryptography/

Advanced Encryption Standard (AES) Encryption FIPS Pub 197 128 bit keys for SECRET
256 bit keys for TOP SECRET

Thanks!
Uno