It’s SHA256 hash is: 8a96262a49cbfc3251173424896233c328b4f6bf0778919da10fee6270406221
When you go to create a new dataset with encryption, did you notice you can input your own 64-character hex string, rather than have one auto generated?
You know what else is comprised of 64 hex characters? A SHA256 hash.
Are you starting to get it?
What happens if you lose your dataset’s keyfile?
You forgot to export it?
You forgot where you saved it?
No problem. Just find the special photo and run the SHA256 algorithm against it.
With the command-line, it’s as simple as running the command sha256sum. There are also GUI options available, such as PeaZip and KDE’s Dolphin.
Congratulations. You just retrieved your dataset’s encryption key.
Benefits:
Losing the keyfile doesn’t mean you lost access to your encrypted data. As long as you still have the original photo, you can regenerate the key.
You don’t need to memorize a passphrase.
You technically don’t even need to save your actual key anywhere. No one will suspect that a particular photo’s SHA256 hash is your key.
It’s fully compatible with ZFS and TrueNAS. It does not require you to change any other data protection habits, such as exporting and saving your encryption keys the traditional way. (You can do both.)
Cons:
None.
Caveats:
You obviously need access to the photo. Don’t have the only copy of this file saved within the encrypted dataset itself. (Duh.)
Do not edit or modify the original photo. This will alter its SHA256 hash.
We can use a buddy system! We should start an online community where everyone uses the same key for their encryption. This way, if you ever lose your key, you can just ask someone in the community!
Sharing is caring!
Only heard of it, but not in depth. It does seem to follow the same principle: hiding a secret in plain sight
I had been using this system of “specific photo as the key” with LUKS. The advantage LUKS has over ZFS is that it supports multiple “key slots”.
I would always assign one of the key slots with a photo, just in case I forgot my passphrase.
You could also very carefully embed a large QR code into a print, it would take some work to get it functional, but it might be another way to deal with this. Maybe an IR or UV dye that you can make visible to the camera to retrieve the codes.
I doubt it is worth your efforts. Unless you’re a CS student making his research.
Well, AFAIK, all this stuff was born from steganography. At least that was told to me by a stega-expert over a decade ago. And I have never fact-checked this.
Just to sum up.
I think these kinds of security strategies are almost useless because they highly depend on obscurity. So the plain deanoning on this forum is already making your data less secure.
OTOH, if you didn’t publicly discuss your obscure methods, they can be okayish. For example, I myself am using those for… Did you even read the paragraph? I won’t tell you my applications!
I’m not a security expert. However, security experts say that security through obscurity is not secure!
They don’t specifically say “encrypted datasets”, but I assume that would be supported, since they run TrueNAS under the hood. I don’t see why they wouldn’t support “raw streams” for their replications.
Honestly, this is less about security itself than about security of the security.
Namely: How to make sure I will NOT loose the encryption key and lock myself out of my “secure” encrypted data.
The technique described is not made less secure by it’s disclosure. Unless @winnielinnie is using a family photo posted on their home page, we have no way to easily determine which photo they are using.
Security Through Obscurity is running an open telnet service on a non-well-known port or running a locked down SSH (pre-shared key authentication only) on a non-well-known port. I do that all the time and it reduces the number of attacks against my SSH services. No, I am not going to tell you which port I move SSH to
Security Through Obscurity is just one of many valid security tools we should all be using, it should not be the only tool we use.
Keep doing what you do with vaults, password and key managers, and exported configs. Keep them safe like you always do.
With the method explained in my original post, you have an additional zero cost benefit against losing your encrypted data.
You can send a photo album to a friend or family member. For all they know, they’re just family photos. They don’t know that they have an extra copy of your key.
How would someone even know I’m doing this at all?
You have better chances at trying to brute force the encryption.
