[Request] Use USB device for encryption key

[tharvey]

Currently you have to manually unlock an encrypted volume on bootup. It would be nice if the QNAP NAS products could be configured to look at a particular USB port/device/partition/path/file for a key on bootup. This should be a fairly simple feature to add.

This also would get around the fact that if you have an encrypted volume several services won't start at bootup because they rely on the encrypted filesystem causing you to manually have to start/restart them once you've unlocked the volume.

Tim
QNAP TS-439

[wonderiuy]

Marvellous. +1

[daverhutt]

I agree with the comment above.

Is there any provision to do this in the future, or to allow unlocking of the volume via the command line?

Thanks,

David

[schumaku]

Nice idea - but the argumentation is a) silly and b) wrong. Some good ideas behind your suggestions I think, anyway:

Currently you have to manually unlock an encrypted volume on bootup. It would be nice if the QNAP NAS products could be configured to look at a particular USB port/device/partition/path/file for a key on bootup.

a) You can create multiple volumes (based on the smallest set of one disk), encrypt each one individually, and let the system store the key (an unlock-key for the effective key stored anyway in fact!) to unlock the volumes required at boot time automatically.

This also would get around the fact that if you have an encrypted volume several services won't start at bootup because they rely on the encrypted filesystem causing you to manually have to start/restart them once you've unlocked the volume.

The only reason why a user intervention to unlock the volume(s) exists, is to ensure a legitimate user is in the possesion of the NAS.
b) Permanently storing the key does open the encrypted volume at boot time - regardless if the key is stored internally, or externally on a USB unit.

Logically, the only reason for storing the key(s) on an external media is the ability to remove the keys, carry away or store the keys at a different place during times the data should not be accessible and remain encrypted. This would require some additional interaction - for example, the ability to unmount an encrypted volume, and allow the removal of the key.

A nice approach would be the ability having to plug the media with the key(s) only at boot (or reboot) times - and stored at a safe place during normal operations. Unless somebody is carrying away the NAS with the UPS and the encrypted volume(s) unlocked...

Greetz,

-Kurt.

[ukez]

+1

I'd like to have the encryption stored on a usb stick and have it decrypt the drives upon boot up.

This would be good solution for any customers that have a QNAP installed in their office, for times when power points are occidentally switched off or general power downs.

Currently, unless we are present or have remote access we would have to give our customers the administrator password to gain access to the systems menu and hope they can navigate through to the Disk Management, Encrypted File System section and then unlock it.

Who knows what kind of issues could arise from showing them the administrator password and how to get in to the NAS; besides allot of my customers don't want to get involved in that end of things.

A USB option or a PC application that can remotely unlock it from the desktop would be cool.

If the USB key encryption can be made to unlock at boot up, i'd like the system to continuously sound an alarm once the drives are unlocked until the USB key is removed.

With the USB boot option we wouldn't have to leave the save to drive option switched on, which is a security risk if the whole NAS is stolen.

At lease with the USB stick the NAS drives can be unlocked then the USB stick can be removed and stored in a safe until its next required.

[pabouk]

A nice approach would be the ability having to plug the media with the key(s) only at boot (or reboot) times - and stored at a safe place during normal operations. Unless somebody is carrying away the NAS with the UPS and the encrypted volume(s) unlocked...

I think that is exactly what tharvey asked for:

...It would be nice if the QNAP NAS products could be configured to look at a particular USB port/device/partition/path/file for a key on bootup...

[onlyalex]

Here we go again...

By manual config of the bultin luks crypt you will be able to store the encryption key at a specified device. This would apply for advanced user's who know howto do it.
Having an option in the webadmin even do it sounds cool would most likely lower the security. Forgetting the key or bad storage would blow away the whole purpose of it.
Since regular users have very limited security knowledge, passwords stored under keyboard etc i bet the function would lead to more harm than good.

If you have costumers how demands drive encryption than you point out one security person who will be at place and know's howto unlock the volume.
This way you will still be the head admin an unlock the drive if nessasary. If you are not avalible the security responsable person can do it.

The option to store on an usb could be good for some lazy users sure. But in the long run i belive most places that would use it would be regular users office where no good security minded person will exist.
Key will eventualy be stored close to nas or attached to the unit. If the unit get stolen or hacked we will have users coming here complaning about the bad security and why on earth that function was implemented.

My advice. Stick with the password better security vs anyone can unlock it with the usb key even the wrong person. If that isn't good enought for you then do some reading on luks man pages and create the encryption yourself.
Cheers.

[ukez]

If you have costumers how demands drive encryption than you point out one security person who will be at place and know's howto unlock the volume.
This way you will still be the head admin an unlock the drive if nessasary. If you are not avalible the security responsable person can do it.

I'm not quiet sure how many system installations you regularly carry out In real world scenarios but I can assure you that not all SOHO customers have IT professionals on-site to log in to the administrator side of things. Allot of customers actually want their NAS to be set up in the back office out of site with no intention of meddling with it once its been set up.

The option to store on an usb could be good for some lazy users sure. But in the long run i belive most places that would use it would be regular users office where no good security minded person will exist.
Key will eventualy be stored close to nas or attached to the unit. If the unit get stolen or hacked we will have users coming here complaning about the bad security and why on earth that function was implemented.

Utter rubbish; you've made a silly assumption there buddy, creating an imaginative scenario in your head like that is ridiculous.

The QNAP encryption software already allows the encryption key to be stored to an external device already, which has nothing to do with being lazy but it actually has something to do with the fact that people commonly forget user names & passwords.

Their is currently no other way to recover your lost password for the QNAPs encryption, so storing it on an external device is a perfect solution for password recovery; if you're still trying to convince yourself that it isn't ask yourself why Microsoft have added that feature to the Windows Operating Systems?

My advice. Stick with the password better security vs anyone can unlock it with the usb key even the wrong person. If that isn't good enought for you then do some reading on luks man pages and create the encryption yourself.
Cheers.

You've totally missed the point of discussion here.

Currently, if you encrypt your QNAP drives and have the drive set to lock when the unit has powered down, the only way to unlock them after its been switched back on is by entering the administrators menu and then navigating to the drive encryption page then entering the password.

For the average technical computer minded person this is fine but for a owner / client that's had the unit installed this could be very daunting; keep in mind that the sort of person to have something installed by someone else would normally be the sort of person that doesn't know much about computers or they probably would of installed the QNAP directly by themselves.

The point that some of us are suggesting is that, as the QNAP device already has the option to store the encryption file to an external device, why not allow the owner / client to simply plug in the external device with the encryption file on it, allow them to simply push the power button on and have the QNAP read that external device, recognise the encryption key and then perhaps sound a constant alarm until the key is removed?

What the user does with the USB stick after this process is totally irrelevant. The sort of customer to require encryption in the first place will probably also be the sort of customer to put the USB stick in a safe place when its not being used; i imagine it would be stored with the keys to the hot swappable bays.

[onlyalex]

Well i see you totaly missed my point here

Allot of customers actually want their NAS to be set up in the back office out of site with no intention of meddling with it once its been set up.

Sure that would apply for some. And for other costumers they have eighter co-location of the it equipment or an administrator / it guy how can handle it.

I based my totaly rubbish assumption out of some of the lazy users i come in contact with over my daily work in it consulting. I did not say it would apply to all but rather some.
Having the encryption key on usb could ofc be good for some, and bad for some.

Their is currently no other way to recover your lost password for the QNAPs encryption,

Well you could start by making an backup of the encryption key and save that to a file if im not misstaken.

You've totally missed the point of discussion here.

Well have i ? My point was that most regular users not all does not care so mutch about security. Writing down password on papper under the keyboard. Have weak passwords like family name, personal security number etc. It's most likely this user that the USB Encryption key would be the weak link, even to you have done all out of security perspective to secure the system inc encryption.

Currently, if you encrypt your QNAP drives and have the drive set to lock when the unit has powered down, the only way to unlock them after its been switched back on is by entering the administrators menu and then navigating to the drive encryption page then entering the password.

Yes thats how it works.

For the average technical computer minded person this is fine but for a owner / client that's had the unit installed this could be very daunting

Agreed

why not allow the owner / client to simply plug in the external device with the encryption file on it, allow them to simply push the power button on and have the QNAP read that external device, recognise the encryption key and then perhaps sound a constant alarm until the key is removed?

That would be a good approatch. Having an alarm would notify the users so the key is not left in the system.

What the user does with the USB stick after this process is totally irrelevant

Sure it's up to the users. Having the alarm you pointed out could help here.

The sort of customer to require encryption in the first place will probably also be the sort of customer to put the USB stick in a safe place when its not being used

Good thinking and will for sure apply for most people but not all.

So if il break it down to ya mate.
Il made some assumptions out of experience as well as you have. I see that ofc can good come out of this making it easyer for the costumer to manage the encryption on his own.
I also see some costumers that just want's encryption just cause they know its good but dont understand or might handle the encryption key in a bad way.

The reason why i was against it from my first post is that i come in contact with alot of those lazy users as an it consultant and have learnd one or two things.
As you suggested having an alarm or some kind of buzzer sound if you forget it in would be a very good start for the number2 custumers, the lazy users who would have the usb plugged in all time.

Cheers.

[ukez]

@onlyalex

I could of done with that damn boot up USB encryption key that I mentioned in the past, today...

I've had three call outs since I last mentioned it on here, two of which was fine as I was able to just VPN in and resolve it for them; but today after the NAS was shut down by a tinkering new member of staff, one of my clients went 7hrs without access as to their NAS as I was unreachable (was working underground) GrRRRRR!!.

If I could of issued them that USB dongle from the start to unlock the hard drive encryption at boot up without having to mess about and fondle with the administrator dashboard where they could potentially cause even more problems, the NAS could of ...no no would of been fully operational within 5 minutes of it being shut down.

Can QNAP either:
1) Make this a bootup USB dongle to auto input encryption password QPKG
2) Enable a separate user account or user login purely for unlocking the drives without having to enter the administrator page.

[qq123]

Three years late, but as a new user, I would also vote for a USB Key option. This worked well for a windows server using bitlocker encryption. The server wouldn't reboot without the USB key in place, and the office manager (non-IT) could keep ithe key hidden much like the front key of the building. As for the QNAP, I would be happy if the just the datavolumes could be linked a USB key if it is too difficult for the entire drive to be encrypted with a key.

[Hank Moody]

Registered JUST for this.

This Thread was created (more) than 8 YEARS AGO and still we haven't got a solution.

Implementing such a function shouldn't take that much; How could we point the Qnap-Developers to this topic?

Cheers,
Hank

EDIT // Handed in a Feature-Request @QNAP, hopefully they'll see the urge of an 8-year old feature-request

[ukez]

Hank it makes to much sense to implement mate, so don't hold your breath..

[Hank Moody]

How can we gain the attraction of the Devs into this?

[ukez]

Not sure mate; allot of suggestions are listened to on here, but more often or not they 're usually rebutted or totally over looked by other users who themselves can't see the benefit as they personally don't have a need for something.

In some cases QNAP won't even entertain something unless it sees its main competitor doing it first or sees their rival benefiting from it, which is pretty much the same with Synology too really which is why the two main competitors platforms are so very similar and very bland.

Personally I think the idea mentioned above is awesome, much needed and can only compliment the platform. Why anyone would suggest otherwise is beyond me. Why they would think its easier to have someone login at administrator level to enter an encryption code at a time that the likes of Apple, Android and many other manufactures are getting with the times and trying to make security more secure and easier to manage. The USB options would be awesome, better still would be to have a simple manageable biometrics fingerprint recognition swipe on the front of the device next to that one touch backup button. How about that?