TS-509 Filesystem AES Encryption Passphrase

Discussion on setting up QNAP NAS products.
User avatar
thanatos74
Starting out
Posts: 46
Joined: Wed Jan 21, 2009 5:46 pm
Location: Munich

TS-509 Filesystem AES Encryption Passphrase

Post by thanatos74 »

Hi there,

I'm the proud owner of a 509 Turbo NAS with the latest firmware (2.1.1 Build 0122). :D
The box has 4 x 1,5 TB Seagate drives, setup as Raid 5 with encryption on it.
So far, no problem at all. Using the Webinterface I can open and mount the encrypted luks partition without any problems.

Now, for some reasons, I would like to add another key to unlock the encrypted partition.
As fas as I can say, the TS-509 uses a standard luks partiton for encryption.
Therefore also the "cryptsetup" command works. Using

Code: Select all

cryptsetup luksDump /dev/md0
I've get displayed all the parameters of the encrypted partiton.

BUT, the problem is that I can NOT use the passphrase, entered on the Web Interface to do anything to the encrypted partition!
I looks like that the passphrase is not used as entered in the Web Interface but altered in some way before used for encrypting the filesystem...
Example: When I try to manually open the encrypted partiton with the command

Code: Select all

cryptsetup luksOpen /dev/md0 /share/..
and entering the same passphrase I would enter in the Webinterface, I only get the error message

Code: Select all

No key available with this passphrase.

Command failed.
:(

So far, I was not able to find out, what has be done to the passphrase entered in the Web GUI.

Maybe someone else out there, ran into the same thing???
Any suggestions?

Any help would be appreciated!

Thanks

Thanatos
~ Two hours of trial and error can save ten minutes of RTFM ~
User avatar
thanatos74
Starting out
Posts: 46
Joined: Wed Jan 21, 2009 5:46 pm
Location: Munich

Re: TS-509 Filesystem AES Encryption Passphrase

Post by thanatos74 »

Has no one any further ideas, or is my problem just to "special"? :(

In the meantime I've got answered my Qnap Support request.
QNAP is not willing to help me. They say, they support the encryption feature only through the Web Management Interface...
I told them that I only need to know what they do to the passphrase, entered in the Web Management Interface but they are not willing to answer that question.

Thanatos
~ Two hours of trial and error can save ten minutes of RTFM ~
User avatar
petur
Moderator
Posts: 4606
Joined: Sun Mar 30, 2008 5:42 pm
Location: Gent, Belgium
Contact:

Re: TS-509 Filesystem AES Encryption Passphrase

Post by petur »

I hope this is not security through obscurity... but I guess you can't force them to tell you how their code actually works (their code = web UI)
Praat je liever over QNAP in het Nederlands?
Liever een community bij jou in de buurt?

Kom naar QNAPclub België/Nederland
User avatar
thanatos74
Starting out
Posts: 46
Joined: Wed Jan 21, 2009 5:46 pm
Location: Munich

Re: TS-509 Filesystem AES Encryption Passphrase

Post by thanatos74 »

Yes you are right - sound like security by obscurity.
Of course I can not force them to help me but otherwise what could be the reason they dont want/can help me.

Anyway this leaves a bad mark. I want MY password to be used. The "additional security" by mangling my input is not needed.
I wish I would have used the CLI to setup encryption - then I would really knew what going on and which keys are used...
~ Two hours of trial and error can save ten minutes of RTFM ~
User avatar
petur
Moderator
Posts: 4606
Joined: Sun Mar 30, 2008 5:42 pm
Location: Gent, Belgium
Contact:

Re: TS-509 Filesystem AES Encryption Passphrase

Post by petur »

let me create a bugreport for it and see how they respond to that ;)
Praat je liever over QNAP in het Nederlands?
Liever een community bij jou in de buurt?

Kom naar QNAPclub België/Nederland
User avatar
thanatos74
Starting out
Posts: 46
Joined: Wed Jan 21, 2009 5:46 pm
Location: Munich

Re: TS-509 Filesystem AES Encryption Passphrase

Post by thanatos74 »

:lol:
Why not. The worst thing to happen may be that QNAP denies to confirm that this is a "'bug" :wink:
~ Two hours of trial and error can save ten minutes of RTFM ~
peris
Starting out
Posts: 33
Joined: Sat Feb 02, 2008 2:26 am

Re: TS-509 Filesystem AES Encryption Passphrase

Post by peris »

thanatos74 wrote: In the meantime I've got answered my Qnap Support request.
QNAP is not willing to help me. They say, they support the encryption feature only through the Web Management Interface...
I told them that I only need to know what they do to the passphrase, entered in the Web Management Interface but they are not willing to answer that question.
This smells fishy.... i was just about to ask QNAP how the encrypton key management works and if i can be sure that the encryption key will never be stored on disk unless I want it to be. Reading the manual didn't get my hopes up as they use strange frases such as "passwords" and "unlocking" in the same context as encryption keys.

If they know what they are doing there is no reason not to explain how things are done. Encryption with AES256 done right, using good keys is so secure there is NO reason what so ever not to explain. So I'd say they either know they have done something bad (like "protecting" the real symetric key with some weaker algorithm or perhaps they have a back door to "help" customers that has lost their key) or they don't know what they are doing so better not tell anyone. Having done some military grade work with encryption I know how easy you kan botch things up destroying the benefits from a good encryption algorithm.

There is no reason to use disk encryption if you don't know the implementation is solid. So if we dont get straight answers - consider the encryption function not available.
User avatar
thanatos74
Starting out
Posts: 46
Joined: Wed Jan 21, 2009 5:46 pm
Location: Munich

Re: TS-509 Filesystem AES Encryption Passphrase

Post by thanatos74 »

Peris, this is exactly what I think.
Not knowing what exactly happens with the key, we can consider the encryption only as unsecure, not to say useless or not existent.

If implemented right, encryption would be a nice feature but with the actual implemention I already removed the encryption from my disks as it is not secure (at least in my opinion).
~ Two hours of trial and error can save ten minutes of RTFM ~
peris
Starting out
Posts: 33
Joined: Sat Feb 02, 2008 2:26 am

Re: TS-509 Filesystem AES Encryption Passphrase

Post by peris »

Yes, but sadly It seem that most NAS implementations are murky in this area. There is a theoretical possibility that QNAP has implemented the encryption correctly - but as they don't answer questions on the subject i 'd say - they have not done it correctly (or the guy not answering questions does not understand how damaging it is for customer trust).

I DO understand the need for ease of use (and even a possibility to recover if the passphrase is lost), but that is no reason not to also provide a secure mode of operation for those of us that values security (confidentiality).

I guess that the passphrase is used to decrypt the real AES-key used for encryption. This is bad for the strength of mechanism and assurance on so many levels. What algorithm is used? How is it applied? What gets stored where? How is seed and random used? The BIG question is however: Is there more than one passphrase that can "unlock" the AES key - that is - are there always at least one QNAP back door available to help customers that has lost their passphrase (will always leak out)? I'd guess Yes - and this is a showstopper for security (confidentiality)!

I'd say fine - do provide this easy to use (low/medium security) "encryption" with passphrase, but ALSO provide a real secure option. A checkbox to guide the user into the "high security (confidtiality)" mode instead of th default "low/medium security (confidentiality) mode. See below:

Most users of higher end QNAP devices /that support encrypton) seldom restart the QNAP when things work and most use a UPS to protect from power failures. So, when you do need to upgrade firmware/add disk or recover using a back-up it is not a big problem to actually input the whole AES-key - either by temporary inserting a USB-device (with the key in a text-file) or manually from the keyboard. Also - I want an option to provide my own AES-key to know there is really a good random key (not just using urandom).

Also QNAP - if you really do need a recover support option for the low security mode - please do use a different passphase for each individal unit (that is not based on externally visible identifiers).
peris
Starting out
Posts: 33
Joined: Sat Feb 02, 2008 2:26 am

Re: TS-509 Filesystem AES Encryption Passphrase

Post by peris »

I posted a question on this issue in the presales forum.
peris
Starting out
Posts: 33
Joined: Sat Feb 02, 2008 2:26 am

Re: TS-509 Filesystem AES Encryption Passphrase

Post by peris »

Got an answer ... sort of...
User avatar
thanatos74
Starting out
Posts: 46
Joined: Wed Jan 21, 2009 5:46 pm
Location: Munich

Re: TS-509 Filesystem AES Encryption Passphrase

Post by thanatos74 »

:lol:
Seems like you are not very pleased with the answer you've got - would you like to let us know?
At least I'm quite interested knowing what they've said!
~ Two hours of trial and error can save ten minutes of RTFM ~
peris
Starting out
Posts: 33
Joined: Sat Feb 02, 2008 2:26 am

Re: TS-509 Filesystem AES Encryption Passphrase

Post by peris »

This is a link to the thread.

http://forum.qnap.com/viewtopic.php?f=12&t=12104

Any thoughts?
User avatar
thanatos74
Starting out
Posts: 46
Joined: Wed Jan 21, 2009 5:46 pm
Location: Munich

Re: TS-509 Filesystem AES Encryption Passphrase

Post by thanatos74 »

thx for the link...
Very, very interesting....

I've already found out, that they are using some kind of additional key management, because when you enter the passphrase in the web gui in order to unlock an encrypted partition, a file called (cant remember exactly) "tmpkey" ist created under /tmp.
That file only stays there for a few seconds - most likely only as long as they need it to unlock the encrypted partition.
I also tried to copy that file to another place (succeeded), lock the encrypted partition again (succeeded) and use that "stolen" file to unlock the partition again...it did not work. :?

The thread you linked to, also openes up more questions then it actually answers.
Like you said before, it the implementation of security is done right, there is no need for "security by obscurity".

Finally I must say, the answers you've got are quite similar to the ones they sent me.
They only admit they do some kind of "key management" but are not willing to give any further information on this...
On some point they also stop to answer questions - the first answer on your post was there only the next day, but now nothing for more than a week...I'm sorry to say, that I've made the same experience when I wrote to the support email address.

If they really take your suggestions into consideration, we can only hope on a firmware upgrade with expanded security and encryption features...

In the meantime, my conclusion is to not use the encryption feature on qnap devices. :(

/thanatos
~ Two hours of trial and error can save ten minutes of RTFM ~
Jeroen1000
New here
Posts: 7
Joined: Tue Mar 17, 2009 8:44 pm

Re: TS-509 Filesystem AES Encryption Passphrase

Post by Jeroen1000 »

Interesting topic. So the big question is: what happens with the passphrase and how is the symmetric AES key protected? I've put of buying a NAS for over a year now. And when an affordable finally comes along I can't figure out how secure it is :(. By judging the number of replies not many people seem to care. It's not like I've got something special to hide but private data is private and I'd feel bad when someone runs off with it!
Post Reply

Return to “Turbo Station Installation & Setup”