NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Fastest way to FUBAR a raid 5 array?
Hi guys, I have a ReadyNas Pro 4 with 4 2TB disks in a raid 5 array. I have a hard time to find out if it is possible to use some kind of file encryption on it the way I would like it to work. Whe...
The standard way of doing it with iSCSI is just mounting it in your computer, letting TC encrypt the partition that iSCSI exposes. This has several advantages:
1) The computer has to be on and logged in to access data -- there is no easy way of accessing that data using only the NAS. Turning off/locking the computer leaves the data completely encrypted (except in computer RAM and caches), which is not the case with "USB keys in the NAS" et cetera. This means you can leave the house with everything running while still being pretty darned secure.
2) Encrypted and non-encrypted files can co-exist on the same volume (the iSCSI "device" is just a big file on the NAS file system).
3) You can use all TrueCrypts standard features, such as hidden volumes.
4) You can move the iSCSI container file from disk, mount it as a volume on another system, and access it with TrueCrypt even if the NAS breaks.
5) If you trust Intel and NIST, you can use AES as encryption, and get no performance hit from encryption/decryption due to the new AES accelerating instructions in newer Intel processors.
6) Data is encrypted all the way into your computer, sniffing the data stream is meaningless.
There are also disadvantages:
1) This method is rubbish on OS6, performance is super bad. (Edit: not since 6.1.9 RC5 if you disable "sync writes" on the LUN)
2) iSCSI performance is worse than CIFS, but dunno if worse than NAS-encrypted file systems (as that taxes the puny NAS cpus)
3) The computer has to be on and logged in to access data -- there is no easy way of accessing that data using only the NAS. Yes, this was also a pro. ;-) But you can NOT in any safe way use NAS-hosted bittorrent or the like to access the iSCSI container.
Regarding data wiping, removing the partitions (or better, writing dummy ones) will stop all normal adversaries. If you envision forced entry by determined and competent people, like government agencies and the like, zeroing the drives will stop that too but you won't have time for that.
1) The computer has to be on and logged in to access data -- there is no easy way of accessing that data using only the NAS. Turning off/locking the computer leaves the data completely encrypted (except in computer RAM and caches), which is not the case with "USB keys in the NAS" et cetera. This means you can leave the house with everything running while still being pretty darned secure.
2) Encrypted and non-encrypted files can co-exist on the same volume (the iSCSI "device" is just a big file on the NAS file system).
3) You can use all TrueCrypts standard features, such as hidden volumes.
4) You can move the iSCSI container file from disk, mount it as a volume on another system, and access it with TrueCrypt even if the NAS breaks.
5) If you trust Intel and NIST, you can use AES as encryption, and get no performance hit from encryption/decryption due to the new AES accelerating instructions in newer Intel processors.
6) Data is encrypted all the way into your computer, sniffing the data stream is meaningless.
There are also disadvantages:
1) This method is rubbish on OS6, performance is super bad. (Edit: not since 6.1.9 RC5 if you disable "sync writes" on the LUN)
2) iSCSI performance is worse than CIFS, but dunno if worse than NAS-encrypted file systems (as that taxes the puny NAS cpus)
3) The computer has to be on and logged in to access data -- there is no easy way of accessing that data using only the NAS. Yes, this was also a pro. ;-) But you can NOT in any safe way use NAS-hosted bittorrent or the like to access the iSCSI container.
Regarding data wiping, removing the partitions (or better, writing dummy ones) will stop all normal adversaries. If you envision forced entry by determined and competent people, like government agencies and the like, zeroing the drives will stop that too but you won't have time for that.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
