Encryption in an always-on machine

Hello,

I'm planning to build a NAS based on Linux. I would like to keep my files encrypted. I know about full disk encryption, but as I understand, after I use my password to access it, anyone with access to my machine would be able to read my files as if they were not encrypted in the first place. And since NAS would typically work 24 hours a day, they'd be permanently decrypted. I wonder if there was some piece of software/solution that would allow me to keep my files safe in this scenario?

Secondary question - I was thinking about something like this: I upload files to my NAS, I enter a universal password, they get encrypted with a file-specific key, this key along with hash of the file gets saved in some sort of database protected by this universal password; To access them, I enter password, DB gets decrypted, key gets accessed, DB gets decrypted again, files get temporarily decrypted. Does this make any sense?

Greetings,
Mateusz

You should give this a read:

2 Likes

You could use a client side encryption tool like https://www.axcrypt.net/ if you want.

I think own/next-cloud have some encryption feature that might fit the bill but I never used it.

From your first assumption about FDE I think you're missing an important point. When you provide your encryption key the data on the drive will still be encrypted but the OS will know how to decrypt the drive. If you can't break the OS security you won't have access and if you turn the computer off and pull the drives out you will still need the key to make the data readable.

Potentially someone with enormous resources could do something like interface with some data bus on the computer while it's running and attempt some attack that way but I wouldn't see that as plausible unless you have nuclear launch codes on it or something.

1 Like

So basically think of full disk encryption as a container. Once you enter the password, the container is open. If the files you need are in the container, then it would need to be opened to be accessed. You could partition a portion of your drive to maintain sensitive files in and mount the drive when needed, or 7z the files and decrypt when needed ( takes longer for large files )

So my question is do you need to have 24/7 access to the files as well as have the machine powered on 24/7?

1 Like

It's going to be pretty difficult, especially if you are accessing the NAS with different devices. If you use something like encfs to encrypt the files then they are encrypted at the file level rather than the block level, so multiple devices can mount the storage and access the data at the same time without risk of damage (I think having multiple devices mount an encrypted disk can cause problems, but I'm not sure about that).

You will need to input a password to mount the NAS storage but all files will always be encrypted on the server so someone with access to the server won't be able to open the files without a password. Could be a pain though. If suggest if you have sensitive stuff that you want to use client side encryption for that you keep that separate to everything which doesn't need that level of security.

Also what you describe in your second question is kinda sorta how encfs works.

2 Likes