How to build a fully encrypted NAS on OpenBSD
In this article I will try to give you all the clues on how to build yourself a fully encrypted NAS for your home network. But first of all, why?
Well, I believe that my data is my data and not somebody elses. I’m not paranoia nor a pirate but having all my personal data in my network encrypted gives me a peace of mind. I mean, in a time where there are some private(!) organizations who think they can tell you/me/everybody what they should and shouldn’t do, it’s time to take some precautions, that’s all. Like I said, it’s about a peace of mind and of course, because we can. ^_^
The end-result will be:
my personal encrypted fileserver
click to enlarge
a server running on OpenBSD with a filesystem on software RAID, so we can handle a disk which decides to stop working all together (and this machine emails you when a drive fails). On top of that we’ll have a fully encrypted filesystem which will take care of on-the-fly encryption and decryption of your files, the data you copy to the server gets encrypted and the data you read from it gets decrypted, all on-the-fly… ^_^ This data than can be presented to your network by Samba, NFS, FTP, you name it.
If, in some crazy world, some organization would believe they can invade my home and take my stuff, there’s not much to be found except gigabytes of ones and zeroes. ^_^
Well, of course, I already built something similar over two years ago. But there has been one flaw in that one. Even though we don’t like anyone accessing our data except ourselves and those we trust, we do like to have some data-security and not lose anything if a drive fails, right? So in fact this is an update to that earlier project. (and yes, I got to this after a drive failed…)
Now when you investigate the wonderful world of RAID, you’ll see that there are fantastic RAID-controllers available, with the possibility of connecting up to 24 drives which can be presented to the operating system of choice as one big drive. But, with SATA-disks now available of 1 terabyte and soon more, you must be in need of a lot of data if you can’t hold it onto one drive. In this how-to we’re not going to make things complicated by building arrays of a multitude drives. We’re going to use two drives in mirror and with disks available today, that could give you an array of 1TB (mine is 320GB by the way).
On top of that one array, we’re going to build an encrypted filesystem of roughly the same size of one such a disk (so, in theory that could also be 1TB). The machine is capable of encrypting and decrypting on-the-fly. Better put, you won’t notice a thing of the whole process. On my personal system I can read and write with average speeds of around 20MB/sec (which is faster than your average laptopdisk without encryption).
To make it totally clear, there’s no problem if you want to run more than one RAID-array or more than one encrypted filesystem. You can have up to 4 encrypted filesystems (and even more if you recompile the kernel).
Why is it now called a NAS?
Well, NAS is one of these magical abbreviations that pops up all over the place. Everything that can store something and connect to a network is called a NAS nowadays. According to that loosely definition, you could even call your average cellphone a NAS... it can store something and connect to a network (and then I’m referring to the internet, not the cellphone network).
Anyway, to tighten it a little down, I guess we can follow the definition on Wikipedia:
NAS systems usually contain one or more hard disks, often arranged into logical, redundant storage containers or RAIDs (redundant arrays of independent disks), as do traditional file servers. NAS removes the responsibility of file serving from other servers on the network and can be deployed via commercial embedded units or via standard computers running NAS software.
But it also says:
It should be noted that NAS is effectively a server in itself, with all major components of a typical PC – a CPU, motherboard, RAM, etc. – and its reliability is a function of how well it is designed internally.
So, because we have RAID and it serves files to the network, I guess we can call it NAS. It does fulfill everything a typical NAS does, but because we’re using OpenBSD and not some trimmed down version of some OS (no offence to those projects though) we also keep the opportunity open to have this fully configurable *nix-box in our network do a lot more than just serve some files (for instance, download some torrents). When you think of it, the size of a typical OpenBSD install
(sans GUI) is about the size what’s considered acceptable as an embedded OS. Well, imho there’s no need to strip it down, it is lean as it is (especially compared to non-*nix OSes ^_~) and this way we keep a lot of options open for future add-ons.
Well, to be totally honest with you, this how-to is meant for people who like the left picture bettter than the right… (I actually like them both, on the left you can see the controls of my TV and on the right the controls of one of my amplifiers... ^_^)
So, in short, this how-to is meant for people who’d like to have a fully configurable box in their network and who know what they’re doing.
I’ll only cover how you can make software RAID with an encrypted filesystem on top. I won’t cover the installation of OpenBSD itself or the installation/configuration of the fileserving services like Samba/NFS etcetera.
Anyway, here we go:
I assume you have a fair understanding of the Unix Command Line Interface. Next to that you need to familiarize yourself with OpenBSD (if you haven’t already done so) and the installation thereof. There’s an excellent Installation Guide on the OpenBSD-site. My box now runs OpenBSD 4.0, but this will also work on, say, 3.8 to 4.1.
From there you should be able to follow my how-to. I’ve put the actual how-to on a separate page which you can find here:
Well, a lot of hardware will go actually. You’ll need a motherboard to which you can connect three hard drives and a fairly decent CPU for the encrypting/decrypting. For the encryption, I’ve used an MP1800+ before and that gave me around 8MB/sec. Nowadays I use an Opteron 146 (2.0GHz) and that gives me around 20MB/sec (25MB/sec read, 16MB/sec write). So if you take anything which is not too old (AMD64s are great for this purpose imho), you’ll be fine.
To give you an idea, this is my setup which gives me around 20MB/sec throughput:
AMD Opteron 146 (2.0GHz)
512MB Reg ECC PC2700
Intel Pro1000 gigabit NIC
Adaptec 2940 SCSI-card
Seagate Barracuda 9LP ST39173W 9GB boot/OS-disk
2x Seagate Barracude 7200.10 320GB in RAID1, datadisks
the actual how-to:
OpenBSD encrypted NAS HOWTO
After this and after we configured the file serving services we’d like (which I don’t cover in this how-to) we’ll have one big encrypted filevault and to show you that it indeed is a NAS presenting itself to different OSes, here are some screenshots from the clients I use (all connecting through Samba btw):
And then there’s the possibility of adding USB-drives to this setup as well! Actually, you can build an encrypted filesystem on everything that can hold a file ^_^ (don’t you just love this? ^_^). After you mount a USB-drive, you can follow the same procedure from filling a file with zeroes or /dev/prandom on…
Now, from a personal experience (I’ve been using encryption on my fileserver for over two years now and I added RAID about 8 months ago) this truly gives a peace of mind. The reason I’ve written it down was because I was forced into refamiliarizing myself again with all this after a power outage in my home. Because the machine did an unclean shutdown, I had work to do and while I was at it, I though I just as easily could write it all down. Now in the original how-to to which this is an update, I also added a bittorrent webinterface and I’m still using that also. Because the machine now is totally current again, I guess I could look into revising that part too… If I get some results there, you can expect a follow-up to this how-to.
good luck to everyone who tries this.
the actual how-to:
OpenBSD encrypted NAS HOWTO
you can find all of my projects overhere