NETGEAR ReadyNAS

[vici]

Hi,

I have been busy getting encrytion working on an Ultra 2. I have given up on Truecrypt with this versions of radiator (4.2.19) and now use encfs. I added instructions how to set it up at the end of this message.

I would like to be able to enter the encfs password through Frontview (and spawn a shell script that does the mounting for me instead of having to run ssh). That way someone else is able to start the share after rebooting or a power failure.

I had a quick look at add-ons, but do not want to spend a lot of time on this. It is probably not more than 10 mins work for someone who knows what he is doing (or so I hope).

Required dialog:
Enter encrypted directory to be mounted: VARIABLE_1
Enter mount point: VARIABLE_2
Enter password: VARIABLE_3
(Continue) (Cancel)

Shell script to be run (as root):
Check if VARIABLE_1 and VARIABLE_2 start with a '/', exist and are directories. If not: ABORT.
echo $VARIABLE_3 | encfs -S --public $VARIABLE_1 $VARIABLE_2

Thanks!

Installing (from factory default):

# apt-get update
# apt-get -f install apt-utils
# apt-get install encfs fuse-utils

Using Frontview I then create a share, let's say "secret_files". This creates the directory /c/secret_files.

I want to store my encrypted files on /c (disk full otherwise!) but radiator does not like a directory in /c that is not a share. By using a hidden file I can keep radiator happy.

# mkdir /c/.you_cannot_read_this

As long as /c/secret_files is empty I can enter
# encfs --public /c/.you_cannot_read_this /c/secret_files

If this is the first time it will ask mode (use paranoia).
Encfs then asks for the password.

DONE!

[Polymorphicready]

Thanks for this!

What is the general opinion on how encfs and truecrypt compare with regard to security (in other words, is encfs, when implemented as above by vici, as strong as TrueCrypt would be)?

[vici]

Hi Polymorphicready,

I see that you have figured out that the '#' is both the bash prompt as well as the character used to make a line a comment! Have you got encfs working?

As to truecrypt vs. encfs, I have not studied them enough to make a good comparison, but feel that there are major disadvantages to the way encfs is designed (security wise). The main reason is that for security reasons you do not want a hacker to know anything that might help in breaking the code.
With encfs, while I cannot see the file type, I can see the number of files and the size of each file (in the example they are visible in the /c/.you_cannot_read_this directory).

I can imagine that if you have a lot of ca. 700MB sized files that they might well be CD iso images. That gives a hacker some information about the expected internal structure and hence gives him something to start to break the code. The same goes for mp3 files (directories containing 15-20 files of certain sizes could very well be mp3's, stored per album) and many others.

If I have a 100GB truecrypt container, there is no way of knowing how many files it contains (it could be empty!), let alone what size or type they are.

If and when truecrypt becomes available (I think it only really needs fuse >= 2.6 to get it working but am not sure) I will move to truecrypt. I will mount the truecrypt partition on the NAS, just as I do with encfs, hopefully with a Frontview add-on!

The strength of truecrypt encryption is very good. I know of a recent case in Holland where police and IT specialists could not hack into the PC they confiscated from a suspect. I think they gave up after a year or so.

[Polymorphicready]

Hi vici,

Yes I figured out about the '#' (Doh!)!

I seem to have encfs working, but still trying to figure out how to actually use it in real life (outside of putty). (Not exactly user-friendly, is it!).

One thing - my encfs reports: "EncFS 1.2.5 (revision 20040813)" but the latest version seems to be 1.7.4. Version 1.2.5 seems to be so ancient it doesn't even appear on the version history on the encfs home page.

Another thing - when I run apt-get update, I get an error message about a GPG key:

# apt-get update
Get:1 http://archive.debian.org etch Release.gpg [1033B]
Hit http://archive.debian.org etch Release
Ign http://archive.debian.org etch/main Packages/DiffIndex
Hit http://archive.debian.org etch/main Packages
Get:2 http://www.readynas.com 4.2.19/ Release.gpg [490B]
Hit http://www.readynas.com 4.2.19/ Release
Err http://www.readynas.com 4.2.19/ Release

Get:3 http://www.readynas.com 4.2.19/ Release [738B]
Ign http://www.readynas.com 4.2.19/ Release
Ign http://www.readynas.com 4.2.19/ Packages/DiffIndex
Hit http://www.readynas.com 4.2.19/ Packages
Fetched 1229B in 16s (74B/s)
Reading package lists... Done
W: GPG error: http://www.readynas.com 4.2.19/ Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY B7F02108D553259A
W: You may want to run apt-get update to correct these problems

Running apt-get update again corrects nothing - just get the same error every time. (Perhaps I'm off-topic on that one).

Back to encfs - thanks for the nice explanation of how the file metadata can give clues to hackers.

At this point, it doesn't look like encfs is going to 'do it' for me, but I'll keep tinkering and try to learn what I can about it and its alternatives. But it seems like full disk encryption (a la TrueCrypt) on a ReadyNAS is some way off in the future.

[vici]

Why won't encfs do it for you?

Remember, you only have to type the encfs command once (everytime after the NAS reboots).

[vici]

The key error is a problem in 4.2.19 that is going to be fixed in 4.2.20. I hope it comes soon!

[Polymorphicready]

Why won't encfs do it for you?

Remember, you only have to type the encfs command once (everytime after the NAS reboots).

I suppose I'm just not happy with using out-of-date security software and don't know how to update it.

[Polymorphicready]

The key error is a problem in 4.2.19 that is going to be fixed in 4.2.20. I hope it comes soon!

I'm running 4.2.20-T23.

[mdgm]

Try editing /etc/apt/sources.list to refer to 4.2.20 not 4.2.19, then do an "apt-get update"

[WhoCares?]

Interesting for any of you? -> Dev-Funstuff: EncFS for ReadyNAS x86

-Stefan

[Polymorphicready]

Interesting for any of you? -> Dev-Funstuff: EncFS for ReadyNAS x86

-Stefan

But surely our eyes do deceive us; a knight in shining armour!

[vici]

Interesting for any of you? -> Dev-Funstuff: EncFS for ReadyNAS x86

-Stefan

Thanks Stefan! I have been very busy and have not logged in for a while, otherwise I would have responded sooner.

My Ultra 2 is now in production and is still running 4.2.19 with the old encfs version. Difficult to take it off-line/upgrade at the moment, so I will not be able to try out your libraries for a while.

[vici]

Any takers on the original question?

I would like to be able to enter the encfs password through Frontview (and spawn a shell script that does the mounting for me instead of having to run ssh). That way someone else is able to start the share after rebooting or a power failure.

I had a quick look at add-ons, but do not want to spend a lot of time on this. It is probably not more than 10 mins work for someone who knows what he is doing (or so I hope).

Required dialog:
Enter encrypted directory to be mounted: VARIABLE_1
Enter mount point: VARIABLE_2
Enter password: VARIABLE_3
(Continue) (Cancel)

Shell script to be run (as root):
Check if VARIABLE_1 and VARIABLE_2 start with a '/', exist and are directories. If not: ABORT.
echo $VARIABLE_3 | encfs -S --public $VARIABLE_1 $VARIABLE_2

[WhoCares?]

As you may have alread guessed, building encfs and the libs was the easy part And unfortunately I'm very busy with other things right now, which prevents me from doing more on this project.

-Stefan