Hi
Is this statement true?
The encryption is primarily designed to prevent theft of hard drives, not to prevent authorities from accessing the running system.
I configured passphrases that I manually need to unlock after boot.
My government is sometimes intrusive, and I want to protect my data from the authorities.
T
Hi, this is an interesting topic, I also want to know the answer.
At the moment I use an overlay file system called “gocryptfs” to encrypt files and that I unlock manually with a password. I mount the smb share where the vault is to the client, and open the vault on the client, so Truenas sees only the encrypted bytes.
I would say never trust any corporation regardless what they say. The best is to keep everything encrypted till the last link in the chain: the client. The server itself should not be trusted from my point of view despite I am the admin. If one of my family members need an encrypted folder, I will always go for client side encryption when possible, and I as admin don’t want to have any possibility to decrypt my user’s data.
In most parts of the world, you can be compelled to disclose passwords, even without a court warrant. You can defy orders but most places have some pretty steep penalties for same.
Between keyloggers, password crackers, and like threats, nation state actors likely can break most encryption fairly easy by exploiting weaknesses outside the realm of the encryption algorithm itself (which folk like the NSA also water down for good measure)
Determined criminals will simply torture you or a loved one until you spill the beans.
Which leaves encryption being mostly useful for casual thieves, ding dongs, and like actors who are not violent and are in it solely for the money, lulz, etc. Most of them will get bored and move on to the next potential victim in case your system looks too secure.
Which means, encryption is mostly like having a better bicycle lock than the rest of the bikes in a rack. Treat it that way and move on.
You can run multiple levels of encryption, ie one level for the pool itself (to deal with physical theft).
A second layer of encrypted files / archives / whatever that only a few folk have keys for may offer some additional protection in case the running system has been compromised. If the system has no idea what the key is (and the encryption is secure enough) then the encrypted data remains secure.
Encrypted apple sparsebundle archives are but one example. Such archive use does entail a performance hit and I’m not sure I would trust a hosted archive not to eventually fall prey to corruption issues, even if it’s hosted on a COW ZFS system.
Whatever approach you take, I hope that the decryption program / technology is widely available and that there are fallbacks to allow the data to be decrypted in case (god forbid) you pass away and someone needs access.
FWIW, I am by no means saying make it easy for ding dongs to get your data.
It’s about managing expectations, and that comic sums up same perfectly.
If you’re dealing with nation state actors, you can be compelled to unlock everything. It’s best to practice good opsec to begin with and stay off a radar. This means Proton email, encrypted at rest and in flight, a VPN at the router level, encrypted dns, etc. Make sure even your isp doesn’t know where you’re going and what you’re doing. There are Linux distros that are insanely paranoid for disposable laptops with this mentality (like Tails).
But making your Nas encrypted at home? Really not worth the effort. One of my favorite authors, Neal Stephenson, talked about some dudes getting busted. They wrapped copper wire around a steel door frame leading to their server room. At the flip of a switch it became a big electromagnet. They flipped the switch and as their computers were taken away, they all got scrambled by the doorway. Science fiction, but theoretically true.
The amount of coil wrapping and power and capacitors and power infrastructure required to wipe a modern HDD just by carrying it through the door is astronomical.
Thousands and thousands of turns of 2AWG, 20+ miles of cable, hundreds of amps, just to approach 1 Tesla of flux. The resistive heat generated would be staggering.
And still wouldn’t affect an SSD.
Yeah, it was in a book. Science fiction.
Unfortunately, way too many sci-fi authors don’t bother to consult with actual scientists or engineers before writing the stuff they do, and make up crazy stuff that completely defies the laws of physics. It’s acceptable (to most) if they’re making up new physics (like warp drives) and then staying within these fictional physics within the universe the story is set in, but this is different from using what appears to be normal, real-world physics and then getting it hilariously wrong (like people getting hit by regular bullets and then flying backwards).
I still hold Crypyonomicon in high regard, he did a good job with hard science and not too much hand waving. But at nearly 900 pages, it’s more of a tome than a novel.
