OUR NETWORK:TiVo Community TechLore Sling Community MyDigitalEntertainer See all... About UsAdvertiseContact Us
Previous Thread | Next Thread

 
Learn about scoring Forum's Raw Score: 266429.0
December 19, 2008 08:59 PM

Categories: Security and User Management

Rating (0 votes)
Rate This!

Member Avatar

JohnBick

  Member
Joined: 05/05/2008

OK, you all know I am paranoid about backups. But I have a security/cryptography background and that got me thinking about the use of encryption of MSS (WHS) systems.

I grabbed a copy of TrueCrypt (http://www.truecrypt.org/) and installed it on my MSS/WHS. Swapped my non-pool drives around to have 1TB as the external, deleted everything on it and have encrypted the entire volume. Mounted that volume and am about to backup the shares to it as well as my backup database. I chose levels of protection that should be more than adequate -- the defaults are OK for US Government "Top Secret" information-- and would not be comfortable leaving my backup disk almost anywhere (rather than only in a Safe Deposit box. All this, so far, from an RDP session. Next will be to get it to run using Advanced Admin Console, but I do not expect that to be a problem.

By the way, I also installed it on my Vista Client and have encrypted a couple 8GB "sticks" that I use for financial data. Now I am comfortable leaving one in the car and another in the camera bag.

Yep, I'm paranoid!

So, why the thread? I am thinking of taking this another step and seeing if we can encrypt the entire MSS pool... Anyone tried anything like this yet? (And why have I not thought to suggest this as a feature for the next generation of WHS before now?)

...JohnBick

Discussion:    Add a Comment | Comments 1-8 of 8 | Latest Comment

Martin Avatar
  Member
December 25, 2008 11:24 AM

I don't see why you couldn't encrypt the entirety of the pool. However, I have two concerns.

The first being the degrading of sytem performance. My employer runs full drive encryption on our laptops. This really drags the machine into the ground and significantly increases boot times.

My second concern involves how effective the encryption would be. By encrypting the whole pool, you would protect your data if anyone were to get their hands on your physical drives. However, If someone manages to defeat security and log into the server either from the web or internally on your network, the system woiuld decrypt the data at the time of access. So what have you really bought yourself other than a fun new project and some bragging rights? Basically, the encryption only protects you against the physical theft of your WHS and removal of your drives.

-Martin

EX475 + 5TB, 2 GB mem, LE-1640, External DVD (USB)
PC's: Vista64 Biz, Vista Ultimate (32)
Laptops: Vista Home Premium (32), XP Home SP3
Network: DLink DIR-855

JohnBick Avatar
  Member
January 3, 2009 8:15 PM

As for performance... The application I have been using does not seem to significantly impact performance, at least with 2GB and an LE-1640. Obviously that will be a concern in the long term.

As I am currently using it, the encryption requires the key to be retained by the client. Getting "in" without the key does NOT give one access to the data any more than having the physical disk. I have not yet attempted full-pool encryption so that may be different, but even then the "intruder" risk is no more than it is today.

...JohnBick

Generic Member Avatar
Member
  • member since: 06/22/2009
  • rank: 5225 of 8870
  • 2 comments
June 22, 2009 9:58 AM updated: June 22, 2009 10:02 AM

I too am interested in using Truecrypt to encrypt the entire pool. I have several 3 year old laptops upon which I've installed Truecrypt and enabled full disk encryption. I see absolutely no slow down on writes or reads. And I've read posts from knowledgeable people that have done speed test before and after enabling full disk encryption that confirm that experience.

JohnBick's idea of using Truecrypt's optional keyfile is a good idea as it adds two-factor authentication to the mix.

I'd like to hear an update from JohnBick as to his experience enabling full disk encryption of his entire pool.

Fred

JohnBick Avatar
  Member
June 22, 2009 12:37 PM

I have not (yet) found a way to encrypt the entire pool in a satisfactory manner.

I believe I could actually encrypt it; the problem is that I would not be able to add or replace a drive as the encryption locks-in the size of the drive. And I cannot handle the encryption separately for each drive because of the Drive Extender logic. TrueCrypt exists at the "application" level and to do what we need the encryption needs to be built into the OS.

I'd love to be proven incorrect...!

...JohnBick

Generic Member Avatar
Member
  • member since: 06/22/2009
  • rank: 5225 of 8870
  • 2 comments
June 23, 2009 4:14 PM

If the only restriction of using Truecrypt is when you add/replace a hard drive, I could live with that as that is something I don't plan on doing too often.  I guess the work around in that situation is to decrypt the entire collection of drives, add/replace a hard drive, and then re-encrypt all hard drives again.

Another scenario to consider is what happens when your all your disks are encrypted and then a  hard drive fails hard? Does that prevent one from using the other hard drives?

I logged into TrueCrypt's forums and searched "windows home server" and got a page full of postings dealing with TrueCrypt and WHS.  Seems like several people are have varied success with backing up TrueCrypted clients as well as encrypting the WHS server itself.  But no definitive success stories.

Fred

JohnBick Avatar
  Member
June 23, 2009 4:56 PM

The problem is that to add or replace a drive EVERYTHING has to be unloaded from the server and then reloaded. To me that is totally unworkable as it defeats the core of the ease of use of the MSS AND it is a huge investment of time AND it requires considerable disk space to temporarily store the data. (IF it can all be made to work -- and I am not really convinced about that!)

Yes, the failure of a single drive MAY stop you from accessing the others -- I would want to test that if I were going to pursue this.

And I forgot to mention that this also would mean that it may not be possible to access individual (shared) files on another NTFS computer in the event of a frame failure. This is another key feature of WHS over a RAID NAS device.

I have not seen any success stories and, for the moment, do not plan to pursue this.

As indicated in other threads I am using TrueCrypt to encrypt my off-site storage volumes.

...JohnBick

Generic Member Avatar
Member
  • member since: 02/03/2010
  • rank: 376 of 8870
  • 1 comments
February 3, 2010 1:04 PM

I don't know if you know about it or not, but Windows clients (Professional/Business and above editions) have the option to encrypt drives using Windows EFS (encrypting file system). It's built into the OS, so it's at the OS level like you need. It's basically password/passkey encryption and is easy to use, especially on removable storage like flash-drives. However, it may not be up to your standards of protection. But hey, it's an option. I don't know if WHS has EFS or not. I think it was introduced in Vista, but it may have been in XP after a service pack or something.

Generic Member Avatar
Member
February 6, 2010 9:30 AM

From the help file:

"The following file types are not supported on Windows Home Server server storage: Encrypted files (file system level)"

I can not even make an encrypted partition. Truecrypt tells me "there is insufficient disk space", even when choosing a partition much smaller than available space.

If someone can get through your login, all files are available, and encryption is not possible.
By the way, remote access passwords are sent 'in the clear':
from IE:
"Warning: This server is requesting that your username and password be sent in an insecure manner (basic authentication without a secure connection)."

Discussion:    Add a Comment | Back to Top | Comments 1-8 of 8 | Latest Comment

Add Your Reply

(will not be displayed)

Email me when comments are added to this thread

 
 

Please log in or register to participate in this community!

Log In

Remember

Not a member? Sign up!

Did you forget your password?

close this window
close this window