Faulty disk encryption implementation?

Interested in our products? Post your questions here. Let us answer before you buy.

Re: Faulty disk encryption implementation?

Postby petur » Thu Mar 19, 2009 4:45 pm

Jeroen1000 wrote:Does Qnap provide SSH access to the NAS? This way one who has an encyption enabled Qnap may be able to reveal what Qnap is doing. But this possibly voids warranty ...


Yes, you can even configure what port it listens on. Doesn't void the warranty. Login is admin only, unless you replace it with OpenSSH (search this forum on how to replace)
User avatar
petur
Moderator
 
Posts: 4482
Joined: Sun Mar 30, 2008 5:42 pm
Location: Gent, Belgium
NAS Model: TS-x69 Pro

Re: Faulty disk encryption implementation?

Postby AndyChuo » Sun Apr 26, 2009 3:23 am

peris wrote:It seems that you use a passphrase to protect the real AES encrypton/decryption key in stead of allowing the user to select to input the real key directly (probably protected by a asymmetric algorithm).
Is that correct?


Yes.

If that is the case the strenght of the mechanism (for confidentialiy) is much much lower than it should be and below what you can create with freeNAS-type of distributions if you know what you are doing. One problem is that the asymmetric passphrase-unlock mechanism is weaker than the symmetric AES algorithm (weakest link in the chain decides the strenght of the chain). But the big problem in this approach is that you might for example have added a separate backdoor passphrase that your tech support can use to unlock customer disks if we forget the passphrase. I do understand the need for such a mode of operation, but please understand that backdoors (if present) always leak (and for people that actually are interested in using encryption there is no way we can trust a implementation that allows for back-doors).


No, there's no such back door you mentioned.

So, what I'd like to see is an "high security (confidentiality)" option (checkbox in GUI) to input the AES256 key myself (from the keyboard, or by temporary inserting an USB drive with the key in a file) the few times I do need to restart/upgrade (users of higher end models use UPS to protect from power failures). Should be really easy to implment (mostly just sidestepping the passphrase part thus avoiding weaking the mechanism).
Is this available or (when) will this be available?


Yes, we are now considering adding this option for users to input their own AES256 key themselves. Details will be anounced once they are available.

See my other replies for your other concerns regarding to the disk encryption feature.


Thanks
=============================================================>>>
TS-659-Pro [RAID6][Transmission][MLDonkey][SABnzbdplus+SickBeard=Best PVR]
TS-509-Pro [RAID6][Pentium Dual-Core][Twonkymedia+PMS+SubSonic=Ultimate Streamer]
NMP-1000P [Media Adptor/Playback] Buffalo WHR-HP-G54 [DD-WRT] D-Link DGS-1005D [Gbit Network]
=============================================================>>>
User avatar
AndyChuo
Experience counts
 
Posts: 2396
Joined: Thu Sep 13, 2007 11:56 am
Location: Taipei, Taiwan
NAS Model: TS-459 Pro

Re: Faulty disk encryption implementation?

Postby peris » Sun Apr 26, 2009 8:52 pm

QNAPAndy wrote:
peris wrote:]So, what I'd like to see is an "high security (confidentiality)" option (checkbox in GUI) to input the AES256 key myself (from the keyboard, or by temporary inserting an USB drive with the key in a file) the few times I do need to restart/upgrade (users of higher end models use UPS to protect from power failures). Should be really easy to implment (mostly just sidestepping the passphrase part thus avoiding weaking the mechanism).
Is this available or (when) will this be available?

Yes, we are now considering adding this option for users to input their own AES256 key themselves. Details will be anounced once they are available.

Thanks for answering.
Looking forward to a "bring your own AES key" option.

You also might consider having an option to get the AES key generated, but omitting the extra key management and thus beeing able to manage luks from the command-line and avoid assurance issues.
peris
Starting out
 
Posts: 33
Joined: Sat Feb 02, 2008 2:26 am

Re: Faulty disk encryption implementation?

Postby Korrel » Sun Oct 18, 2009 11:10 am

Important new information can be found here:

viewtopic.php?f=11&t=18863
Korrel
Starting out
 
Posts: 24
Joined: Wed Jun 10, 2009 4:08 am
NAS Model: TS-419U


Return to Presales

Who is online

Users browsing this forum: No registered users and 4 guests