So last week someone broke into my and stole my new NAS. I had luck that only my latest project files were on it at this time. Anyways, on my computer I'm running bitlocker with an older TPM (1.02H), which I hope is safe enough. But my backups go on 2 different NASes an these NASes are pretty cheap, are running linux and don't support encryption. So I'm looking for a way to automatically encrypt files that I send to my NAS in real time. And when I download them from my NAS they should get decrypted automatically on my computer. So that my NAS never stores an unencrypted backup. Does anyone of you know of a good piece of software that could help me with that?
I'm on Windows btw. The NAS provides a standard samba interface (the same that Windows uses).
...at the moment there is no money for a better solution.
A simple way of doing that would be to use something like truecrypt to create an encrypted volume on the NAS and then mount the encrypted volume on the client machine. Only problem is you probably won't be able to share it between different clients at the same time.
If you are using freenas you can select it to use encryption which is done on the fly on the nas side. Once unlocked you can access the files over the network but if powered down it needs to be unlocked again. It keeps all the files encrypted all the time and is easy to use.
I'm sure it's safe enough for what you need. If you're worried about NSA back doors the I think you have bigger problems if the NSA have seized your property.
If you use server side encryption then the server will be able to decrypt the files, so of someone takes the server and is able to log in and decrypt the files, or take the server whole it's power3e on and the files are already decrypted then they can access your stuff. With client side encryption the files are encrypted by the client and stored in an encrypted form on the server so if someone takes the server they can't unlock the files.
I'm not sure what options there are for client side encryption that will also allow you to share files between other users. But that sounds like it's what you're looking for.
Yes, client side encryption sounds like what I want. And sharing files should in theory not be a problem. I can definitely think of way on how this could be implemented.
What makes you think that Linux does better encryption than Bitlocker? Is Linux encryption even able to use a TPM?
No. Truecrypt is not secure and shouldn't be used.
With bitlocker there is no way of knowing if a back-door has been introduced by any government. From what im aware your able to have a lot more encryption options and strengths with Linux based encryption (need to confirm that).
Theres partial support for it. I dont know much else.
I haven't done this myself, but I have a strategy that might work. You could create an encrypted container file on the NAS that you mount on the computers that you want to access the data from. It would work like mounting a network drive. That way someone stealing the NAS has no way of ever obtaining the files. Furthermore, it makes backup and such easy as you could simply backup the entire container file. I'm not sure how well this works in regard to having several users access the container at the same time though.
I found this link which you might find interesting:
Please, don't use BitLocker it's broken as hell and it shouldn't be trusted unless you're merely trying to protect data from a room mate or something. If your data is more important to you than that, use VeraCrypt or TrueCrypt
Microsoft is widely known to co-operate with the NSA and participate in PRISM, along with as we've seen with Skype having been back doored that really isn't doing much for their trust because what's stopping them doing that to an encryption product? Law enforcement definitely doesn't like encryption, so with Microsofts close relation it's hard to believe it'd be anything but broken and back doored
Here's another thing to consider, while yes it's not bitlocker but it is disk encryption from Microsoft so if this product from them is handled in such as laughable manner it'd say it's beyond doubt that Bitlocker is in a similar situation
If you have a supported device, the device’s storage comes pre-encrypted — but it uses an empty encryption key. When you sign in with a Microsoft account, the encryption is activated and a recovery key is uploaded to Microsoft’s servers. (If you sign in on a domain, the recovery key is uploaded to Active Directory Domain Services, so your business or school has it instead of Microsoft.) If you use a local account, there’s no way to enable the device encryption.
Need I even mention it's both closed source AND microsoft? That alone makes me uncomfortable personally
I completely agree with you regarding NSA and Microsoft. However, you need to keep the threat model in mind when choosing crypto. If you're worried about thieves stealing the data BitLocker is probably fine. If you're worried about the NSA, BitLocker is definitely not the way to go.
I would personally never trust BitLocker with my files for this very reason.
Veracrypt looks interesting. Have you used it @100557662?
I would consider looking into Buslink GSE and their 512 cipher solutions if you need no compromise file encryption. They have esata options which is what I would choose if you are protecting financial info, medical info, sensitive client information, etc. This is what the big boys use as a local desktop solution. I would also consider getting a secured rack or cabinet to hold your pc and drives to protect your business clients and yourself from the repercussions of identity theft, corporate espionage, or pci compliance.
You're absolutely right, in one of my examples I said if you're just trying to protect your data from a room mate (quite a low threat model) it's effective and you don't need to get caught up in all the other things
VeraCrypt definitely does look interesting, I decided I'd play with it a bit recently and its quite good. It's extremely similar to TrueCrypt, it's actually even backwards compatible from with it but it does some things a little differently such as use many many more iterations of hashing seen below, SHA-512 is available as a hashing algorithm, adds some security fixes, etc
As an example, when the system partition is encrypted, TrueCrypt uses PBKDF2-RIPEMD160 with 1000 iterations whereas in VeraCrypt we use 327661. And for standard containers and other partitions, TrueCrypt uses at most 2000 iterations but VeraCrypt uses 655331 for RIPEMD160 and 500000 iterations for SHA-2 and Whirlpool.
This enhanced security adds some delay only to the opening of encrypted partitions without any performance impact to the application use phase. This is acceptable to the legitimate owner but it makes it much harder for an attacker to gain access to the encrypted data.