[Request] Use USB device for encryption key

Tell us your most wanted features from QNAP products.
buggy82
Getting the hang of things
Posts: 75
Joined: Thu Mar 20, 2008 11:54 pm

Re: [Request] Use USB device for encryption key

Post by buggy82 » Thu Jul 06, 2017 3:22 am

OneCD wrote:Agreed. I'm not a security professional, so I welcome any feedback from those who are.

Me neither, but I´ve been interested in IT security topics for some time. Unfortunately one needs to be a mathematical algorithm wizard to be able to assess encryption security.

OneCD wrote:My intention here was to contain the unlock password in a secure environment (within the NAS) instead of keeping it out in the open (on a USB stick).

The DOM is no such environment. Technically it is an internally attached USB flash drive.
What you need here is special hardware for this. Something like Wikipedia (en): Trusted Platform Module
TPM is implemented using dedicated secured hardware on the mainboard. From what I´ve read, it is frowned upon by the open source/open hardware community for being an proprietary and inaccessible gatekeeper on mainboards that prevent e.g. Linux systems from booting from it.

OneCD wrote:It was only to prevent the average person copying the USB stick (and associated identifier).

There are tons of simple disk imaging softwares out there. In fact any backup software is capable of copying such sticks with 3 simple buttons: "Select Source", "Select Target", "Go".
Someone trying to break into your server definately won´t use Windows Explorer or the MacOS one to copy your decryption flash drive.
Imho: Not worth implementing without dedicated hardware, like special USB dongles.
TS 409 Pro - decommissioned
TS 559 Pro+ - degraded to an iSCSI target, disabled all services
TS 651 + UX 800P 3xRAID5 (as Storage Pool 1), actually RAID50 + 1 Single Drive (test VMs/temp data, QTS apps)

User avatar
OneCD
Ask me anything
Posts: 8489
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: [Request] Use USB device for encryption key

Post by OneCD » Thu Jul 06, 2017 6:26 am

buggy82 wrote:Me neither, but I´ve been interested in IT security topics for some time.

Oh... I see... :'

buggy82 wrote:
OneCD wrote:My intention here was to contain the unlock password in a secure environment (within the NAS) instead of keeping it out in the open (on a USB stick).

The DOM is no such environment. Technically it is an internally attached USB flash drive.

I was not suggesting the DOM was a secure environment. And yes, I'm very aware of what it is and how it presents to the OS. ;)

buggy82 wrote:Imho: Not worth implementing without dedicated hardware, like special USB dongles.

I have suggested a method that can be implemented without requiring action on the part of QNAP. However, any method will have its problems. If the NAS admin is aware of the risks and is willing to take them, then it's on their head if it goes wrong.

Your turn: how would you do this with the environment available and without requiring 'special' hardware?

ImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImage

buggy82
Getting the hang of things
Posts: 75
Joined: Thu Mar 20, 2008 11:54 pm

Re: [Request] Use USB device for encryption key

Post by buggy82 » Thu Jul 06, 2017 7:45 am

Sorry, I did not intent to make you angry or so... :( English is not my native tongue so I may sound a bit harsh sometimes. Sorry for that!

The idea itself is really good, but it is never a good idea to rely on security by obscurity (USB drive copy protection) or presenting something as being secure while having backdoors/serious flaws in the implementation (decryption key "obfuscated" in DOM)

So, how would I do it?
In the best of all worlds, I´d use a retail encrypted USB flash drive with pinpad, something like this: [Image] [Example from Amazon.com]. Using such a key introduces an additional layer of security. If security demands are lower, one could - of course - also use a standard usb flash drive without encryption.

Since one can have different encryption keys for different volumes on the NAS, the USB flash drive should contain both: For each volume you need a volume id and the matching key. For this we need some sort of convention.

Example use case:
Assumption: Key file name is volume ID (Example: "12345-67890-abcde-fghij.key").

On boot execute a script on an unencrypted (boot) volume that performs the following steps
1. The NAS shall scan for encrypted volumes and external devices. It saves the volume IDs of encrypted volumes in a variable ($ids).
2. If it finds an attached USB flash drive, mount it and try to find files whose filenames match found volume IDs of encrypted volumes (Pseudocode: For each $id in $ids {if exists (usbDevice.getFileByName($id))} ).
3. For each matching pair: Automatically start to decrypt and mount the respective volume. When complete, emit a sound to make the user disconnect the USB key.

Else if one or more matching volume decryption keys are missing,decrypt and mount whats possible and fall back to standard behaviour (QTS login and decrypt with user interaction in Storage Manager with file or password).

Same if no USB flash drive is found.

Done.

What do you think? Pretty straight forward isn´t it?
TS 409 Pro - decommissioned
TS 559 Pro+ - degraded to an iSCSI target, disabled all services
TS 651 + UX 800P 3xRAID5 (as Storage Pool 1), actually RAID50 + 1 Single Drive (test VMs/temp data, QTS apps)

User avatar
OneCD
Ask me anything
Posts: 8489
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: [Request] Use USB device for encryption key

Post by OneCD » Thu Jul 06, 2017 1:39 pm

buggy82 wrote:Example use case:
Assumption: Key file name is volume ID (Example: "12345-67890-abcde-fghij.key").

On boot execute a script on an unencrypted (boot) volume that performs the following steps
1. The NAS shall scan for encrypted volumes and external devices. It saves the volume IDs of encrypted volumes in a variable ($ids).
2. If it finds an attached USB flash drive, mount it and try to find files whose filenames match found volume IDs of encrypted volumes (Pseudocode: For each $id in $ids {if exists (usbDevice.getFileByName($id))} ).
3. For each matching pair: Automatically start to decrypt and mount the respective volume. When complete, emit a sound to make the user disconnect the USB key.

Else if one or more matching volume decryption keys are missing,decrypt and mount whats possible and fall back to standard behaviour (QTS login and decrypt with user interaction in Storage Manager with file or password).

Same if no USB flash drive is found.

Done.

What do you think? Pretty straight forward isn´t it?

Looks good to me (but I'm no expert) and it's close enough to what I suggested that I'm not likely to disagree with your process. I think you should code this up. :geek:

ImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImage

buggy82
Getting the hang of things
Posts: 75
Joined: Thu Mar 20, 2008 11:54 pm

Re: [Request] Use USB device for encryption key

Post by buggy82 » Thu Jul 06, 2017 8:29 pm

OneCD wrote:I think you should code this up. :geek:


As I´m a complete rookie in shell scripting and QNAP app packaging, this sounds like a nice opportunity to learn something. I´ll think about that. :)
TS 409 Pro - decommissioned
TS 559 Pro+ - degraded to an iSCSI target, disabled all services
TS 651 + UX 800P 3xRAID5 (as Storage Pool 1), actually RAID50 + 1 Single Drive (test VMs/temp data, QTS apps)

User avatar
Moogle Stiltzkin
Ask me anything
Posts: 9470
Joined: Thu Dec 04, 2008 12:21 am
Location: Around the world....
Contact:

Re: [Request] Use USB device for encryption key

Post by Moogle Stiltzkin » Sat Jul 15, 2017 6:21 am

ukez wrote:
Personally, I think a user manageable biometric fingerprint reader would be a nice touch for them to simply swipe to re-enable the encryption and HDD data, but that's just my two cents dream i guess :lol:


another curious development. I thought it was a hoax or fake news at first, but apparently it's a real thing :shock: guess it's not somethong anthony weiner would be interested, considering how much exposure his gotten... :mrgreen:
http://www.news.com.au/technology/home- ... 479d25186a
NAS
[Main Server] QNAP TS-877 w. 4tb [ 3x HGST Deskstar NAS (HDN724040ALE640) & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A w. 5x 2TB Samsung F3 (HD203WI) EXT4 Raid5
[Backup] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) single disks.
[^] QNAP TS-659 Pro II
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-228
[^] QNAP TS-128
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1

Network
Asus AC68U Router|100dl/50ul MBPS FTTH Internet | Win10, WC PC-Intel i7 920 Ivy bridge desktop (1x 512gb Samsung 850 Pro SSD + 1x 4tb HGST Ultrastar 7K4000)


Guides & articles
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin

Hank Moody
New here
Posts: 6
Joined: Tue Jun 27, 2017 8:26 pm

Re: [Request] Use USB device for encryption key

Post by Hank Moody » Sat Jul 15, 2017 11:17 pm

@ukez We finally got some tension into this topic ..after 8 years man :)
@buggy82: lovely simplistic flow!
@OneCD: Even if you don't use qnaps-fw anymore /but seen you developed/coded a lot for it/ would you mind teaming up with buggy82 getting this job done straightforward? Simple tool/script into a qpkg so that even a no-coder like me could use it :P

On boot execute a script on an unencrypted (boot) volume that performs the following steps
1. The NAS shall scan for encrypted volumes and external devices. It saves the volume IDs of encrypted volumes in a variable ($ids).
2. If it finds an attached USB flash drive, mount it and try to find files whose filenames match found volume IDs of encrypted volumes (Pseudocode: For each $id in $ids {if exists (usbDevice.getFileByName($id))} ).
3. For each matching pair: Automatically start to decrypt and mount the respective volume. When complete, emit a sound to make the user disconnect the USB key.

Else if one or more matching volume decryption keys are missing,decrypt and mount whats possible and fall back to standard behaviour (QTS login and decrypt with user interaction in Storage Manager with file or password).

Same if no USB flash drive is found.

Done.


The one and only thing that could be altered for security reasons would be to not let the qnap start operating fully until the usb is removed. Sure the user itself, letting the stick on the nas after decrypting is an asshole. I'd just consider this for a v2; The sound should be enough of a reminder to remove the key, and the sound is surely easier to implement than everything else.

I would really love to see this tool coming alive!! :D :D :D

Have a nice saturday!

Cheers
Hank

Hank Moody
New here
Posts: 6
Joined: Tue Jun 27, 2017 8:26 pm

Re: [Request] Use USB device for encryption key

Post by Hank Moody » Tue Aug 08, 2017 9:22 pm

Any progress over here.. ? :DD

User avatar
OneCD
Ask me anything
Posts: 8489
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: [Request] Use USB device for encryption key

Post by OneCD » Sun Jan 28, 2018 4:15 pm

Happy to revisit this as I now have time to take on a new project (i.e. I'm bored. ;) )

But before it can happen, hoping that someone (or several someones) can perform feasibility checks on a few items. I can't check for these as I don't use volume encryption.

So, we'll need to:
  • ensure that it is possible to unlock a selected volume from the command-line with a saved keyfile. You'll need to show what you did to make this work. QTS must recognise that the volume is unlocked when you're done, so I suspect it won't be as simple as just unlocking with LUKS.

  • check that [autorun.sh] still works during NAS startup - even if the volumes have not been unlocked. This is the easiest place I can think of to start checking for a connected USB device. [autorun.sh] is expected to be found on the DOM, but I don't know if QTS will make it to this point in startup (where [autorun.sh] is executed) in the event of a locked volume.

  • put these first two tests together and ensure that volume unlocking can be performed in [autorun.sh]. If this works, then the rest is easy.

  • find a universal method to make the NAS beep (HAL vs SOC).

ImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImage

gasongasoff
New here
Posts: 3
Joined: Mon Apr 09, 2018 10:54 am

Re: [Request] Use USB device for encryption key

Post by gasongasoff » Mon Aug 27, 2018 10:06 am

Did this feature ever get developed? I could totally use it. I can't use S3 sleep because my QNAP 10GBE add-in card is not compatible. Which means to save power I have to power off completely.

Stefan5
First post
Posts: 1
Joined: Sat Mar 28, 2020 11:05 pm

Re: [Request] Use USB device for encryption key

Post by Stefan5 » Sat Mar 28, 2020 11:07 pm

Any updates? That would be an awesome feature...

User avatar
jaysona
Easy as a breeze
Posts: 468
Joined: Tue Dec 02, 2008 11:26 am
Location: Somewhere in the Great White North

Re: [Request] Use USB device for encryption key

Post by jaysona » Tue May 19, 2020 7:56 am

Well, since we're all just spit balling here, and there is no real QNAP involvement, and we're well into the future of when this thread was first started, I'll say it's now time to forget USB memory stick and go with something like a YubiHSM now. :D
H/W: TS-219 Pro / TS-269 Pro / TS-253 Pro (8Gig) / TS-509 Pro x2 / TS-569 Pro
H/W: TS-670 Pro (i7-3770S 16Gig) x2 / TS-853 Pro (8Gig) / TVS-871 Pro (i7-4790S 16Gig)
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 384.19
Router2: Asus RT-AC68U - DD-WRT v3.0-r39960M kongac
Router3: Linksys WRT1900AC - DD-WRT v3.0-r43028 std
Router4: Asus RT-AC66U - FreshTomato v2020.7
Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)

Hank Moody
New here
Posts: 6
Joined: Tue Jun 27, 2017 8:26 pm

Re: [Request] Use USB device for encryption key

Post by Hank Moody » Mon Nov 30, 2020 7:55 pm

@jaysona how would one configure an YubiHSM to work with qnap encryption? Would you mind linking some?

User avatar
jaysona
Easy as a breeze
Posts: 468
Joined: Tue Dec 02, 2008 11:26 am
Location: Somewhere in the Great White North

Re: [Request] Use USB device for encryption key

Post by jaysona » Tue Dec 01, 2020 4:36 am

A Google search for YubiHSM and full disk encryption will provide more than enough links for you to read.

If using a YubiHSM is not something you are familiar with, then I would not suggest using this, as it will require a lot of custom work on the QNAP, such a finding a free LUKS key slot among other things.
H/W: TS-219 Pro / TS-269 Pro / TS-253 Pro (8Gig) / TS-509 Pro x2 / TS-569 Pro
H/W: TS-670 Pro (i7-3770S 16Gig) x2 / TS-853 Pro (8Gig) / TVS-871 Pro (i7-4790S 16Gig)
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 384.19
Router2: Asus RT-AC68U - DD-WRT v3.0-r39960M kongac
Router3: Linksys WRT1900AC - DD-WRT v3.0-r43028 std
Router4: Asus RT-AC66U - FreshTomato v2020.7
Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)

Post Reply

Return to “Features Wanted”