Yes, you can even configure what port it listens on. Doesn't void the warranty. Login is admin only, unless you replace it with OpenSSH (search this forum on how to replace)Jeroen1000 wrote:Does Qnap provide SSH access to the NAS? This way one who has an encyption enabled Qnap may be able to reveal what Qnap is doing. But this possibly voids warranty ...
Faulty disk encryption implementation?
- petur
- Moderator
- Posts: 4606
- Joined: Sun Mar 30, 2008 5:42 pm
- Location: Gent, Belgium
- Contact:
Re: Faulty disk encryption implementation?
Praat je liever over QNAP in het Nederlands?
Liever een community bij jou in de buurt?
Kom naar QNAPclub België/Nederland
Liever een community bij jou in de buurt?
Kom naar QNAPclub België/Nederland
- AndyChuo
- Experience counts
- Posts: 2388
- Joined: Thu Sep 13, 2007 11:56 am
- Location: Taipei, Taiwan
Re: Faulty disk encryption implementation?
Yes.peris wrote: It seems that you use a passphrase to protect the real AES encrypton/decryption key in stead of allowing the user to select to input the real key directly (probably protected by a asymmetric algorithm).
Is that correct?
No, there's no such back door you mentioned.If that is the case the strenght of the mechanism (for confidentialiy) is much much lower than it should be and below what you can create with freeNAS-type of distributions if you know what you are doing. One problem is that the asymmetric passphrase-unlock mechanism is weaker than the symmetric AES algorithm (weakest link in the chain decides the strenght of the chain). But the big problem in this approach is that you might for example have added a separate backdoor passphrase that your tech support can use to unlock customer disks if we forget the passphrase. I do understand the need for such a mode of operation, but please understand that backdoors (if present) always leak (and for people that actually are interested in using encryption there is no way we can trust a implementation that allows for back-doors).
Yes, we are now considering adding this option for users to input their own AES256 key themselves. Details will be anounced once they are available.So, what I'd like to see is an "high security (confidentiality)" option (checkbox in GUI) to input the AES256 key myself (from the keyboard, or by temporary inserting an USB drive with the key in a file) the few times I do need to restart/upgrade (users of higher end models use UPS to protect from power failures). Should be really easy to implment (mostly just sidestepping the passphrase part thus avoiding weaking the mechanism).
Is this available or (when) will this be available?
See my other replies for your other concerns regarding to the disk encryption feature.
Thanks
=============================================================>>>
TS-659-Pro [RAID6] rtorrent+SABnzbdplus+SickBeard+Couchpotato [Best PVR] Plex+PMS [Ultimate Streamer]
Apple iPad [Best Tablet] HTC One M8 [Mobile Phone] Samsung UA46ES6100 [My Screen] KRK Rokit 6 [Audio Speakers]
Chrome Cast [Screen Casting] Philips Hue [Personal Lighing]
Buffalo WZR-1750DHP [My Wifi Hub] D-Link DGS-1005D [Gbit Network]
=============================================================>>>
TS-659-Pro [RAID6] rtorrent+SABnzbdplus+SickBeard+Couchpotato [Best PVR] Plex+PMS [Ultimate Streamer]
Apple iPad [Best Tablet] HTC One M8 [Mobile Phone] Samsung UA46ES6100 [My Screen] KRK Rokit 6 [Audio Speakers]
Chrome Cast [Screen Casting] Philips Hue [Personal Lighing]
Buffalo WZR-1750DHP [My Wifi Hub] D-Link DGS-1005D [Gbit Network]
=============================================================>>>
-
- Starting out
- Posts: 33
- Joined: Sat Feb 02, 2008 2:26 am
Re: Faulty disk encryption implementation?
Thanks for answering.QNAPAndy wrote:Yes, we are now considering adding this option for users to input their own AES256 key themselves. Details will be anounced once they are available.peris wrote:]So, what I'd like to see is an "high security (confidentiality)" option (checkbox in GUI) to input the AES256 key myself (from the keyboard, or by temporary inserting an USB drive with the key in a file) the few times I do need to restart/upgrade (users of higher end models use UPS to protect from power failures). Should be really easy to implment (mostly just sidestepping the passphrase part thus avoiding weaking the mechanism).
Is this available or (when) will this be available?
Looking forward to a "bring your own AES key" option.
You also might consider having an option to get the AES key generated, but omitting the extra key management and thus beeing able to manage luks from the command-line and avoid assurance issues.
-
- Starting out
- Posts: 29
- Joined: Wed Jun 10, 2009 4:08 am