My current setup is not secure in the slightest and I want to change that.
I run a Win8 box, a N54L running Openmediavault 3. There are a couple of Rpi3 on my network as media clients, along with 2 Sonos Play devices.
The NAS serves data over NFS to the media clients, and SMB to the winbox.
If everything could be encrypted on the NAS and my Winbox that would be good, however... I am concerned about the ease of use with regards to the 4 media devices on my network and their ability to access the data stored on the NAS.
In an ideal world, I would like to be able to log into my winbox and have access to the encrypted data on the NAS and the media clients to have 24hr access to the media.
Will you be accessing this information outside your local network? Do you have info that needs encryption? My first thoughts are it's a waste of time and energy but everyone has their wants and goals so all power to you.
So it's full disk encryption on the NAS, Vera Crypt Container for the data you only need to access from the Winbox.
Are there safer options than NFS? sshfs probably (basically mounting stuff over ssh) but that comes with it's own set of problems. I should probably mention that you should not mount a root user via sshfs.
I've got to use NFS because anything else has massive overheads in comparison and we all know how valuable the very limited network bandwidth is on a Rpi3
Not sure what NAS you have but I thought it deserves a mention that the Synology DS214+ built in encryption for folders is pretty slow (20 MB/s). I'm actually not sure how they are with FDE and if that could be faster.
The big question here is: What do you want to protect against? Encryption isn't magical fairy dust that makes your data secure from all the things. Full disk encryption, for example, is often chosen because it is seamless to the users. Unfortunately it's also seamless to an attacker accessing your NAS via the network. It'll protect your data if someone physically steals your server. But once the decryption key is entered, your OS/hardware will happily decrypt the data for anyone who has, for example, a valid SMB auth token. Or is allowed to connect to your NFS share.
What do you want to protect against? Where is the threat coming from?
Have a look at the super secure NAS build log here by @Dexter_Kane
@Levitance makes a good point. If you want to protect against something you first need to identify what that something is, so you can effectively protect against it.
HIs Windows partition won't be able to access the data unless he keep the container open and partitioned with NTFS, in which case it voids using LUKS...
I must be missing something here. I thought that the Windows box was a separate box from OpenMediaVault, and the OMV box is where the data is stored. Is that not the case?
Which is fine. The OMV box will be the only thing actually reading LUKS. Everything else is presented to other machines either via CIFS or NFS, so the encryption is irrelevant.