× NETGEAR will be terminating ReadyCLOUD service by July 1st, 2023. For more details click here.
Orbi WiFi 7 RBE973
Reply

ReadyNAS Encryption

HSTPC
Aspirant

ReadyNAS Encryption

Hello,

 

I am a new admin with a RR2312. No matter what I type in the Model field, it blanks it immediately :-(.

 

I have created several volumes on the NAS. I would like to use one of the volumes to store historical backups of Hyper-V and System State backups for the purpose of recovery against Ransomware attack.

 

I would like that volume to be encrypted except for when I am copying data to it.

 

I read that the only way to decrypt a volume is to reboot the NAS with the USB key inserted. After I'm done, the only way to encrypt the volume is to reboot the NAS with the USB key removed.

 

Is there any way to accomplish encrypting/decrypting without rebooting the NAS?

 

Thank you.

 

Message 1 of 6
StephenB
Guru

Re: ReadyNAS Encryption


@HSTPC wrote:

 

I would like that volume to be encrypted except for when I am copying data to it.

 


This is a bit confused.  If a volume is encrypted, then it is always encrypted.  The on-disk structures are what are encrypted.

 

Perhaps more importantly, encrypting the physical volume doesn't provide any network security. Anyone with the network credentials can still read/write to the shares on the volume.  So encrypting the volume wouldn't give you any protection from a ransomware attack.

 

Options that could help with ransomware are

  • Cloud backup (which often does have built-in protection)
  • air-gapping a backup in some way
  • disabling file sharing protocols on the backup destination.

 

What I do myself is that I have backup NAS that only allow rsync backup combined with a cloud backup service.  The backup NAS also are on a power schedule, so they would likely be off when a ransomware attack strikes.  That would hopefully give me time to disconnect them from the network if my systems were infected.  If not, the fallback is the cloud backup service (which also provides disaster recovery).

Message 2 of 6
Sandshark
Sensei

Re: ReadyNAS Encryption

You really created multiple volumes, each of which must encompass at least one full drive?  That's not a very efficient method of using a NAS.  The more usual method is to create one volume across multiple drives with multiple shares.  Of course, the ReadyNAS does not have share-level encryption, so if you want only some of your shares in an encrypted volume, you would have to create at least one separate volume for that.

 

I think what you are looking for is more like VeraCrypt containers or BitLocker encrypted virtual drives within a share.  Those are restricted to a single computer having one open, but your use sounds like that's not a problem.  I use VeraCrypt.  You don't run it on the NAS, you run it on the PC and put the container on the NAS.  Note that you will want to disable strict sync for that share, or writes will be very slow.  BitLocker encrypted VHDs don't have the problem with strict sync, but I have only used them for experiments in determining why the VeraCrypt writes go so slow and looking for an alternative if I couldn't find and fix it.

 

Another option that I have not investigated is to use iSCSI to create virtual drives and BitLocker encrypt those.

Message 3 of 6
StephenB
Guru

Re: ReadyNAS Encryption


@Sandshark wrote:

 

I think what you are looking for is more like VeraCrypt containers or BitLocker encrypted virtual drives within a share. 


That would provide protection from someone else getting the VM images, but it wouldn't provide any protection from a ransomware attack.

Message 4 of 6
Sandshark
Sensei

Re: ReadyNAS Encryption


@StephenB wrote:

@Sandshark wrote:

 

I think what you are looking for is more like VeraCrypt containers or BitLocker encrypted virtual drives within a share. 


That would provide protection from someone else getting the VM images, but it wouldn't provide any protection from a ransomware attack.


I didn't consider that if the ransomware can get to the containers, it can still re-encrypt them.  So, the iSCSI option, with the whole volume encrypted by BitLocker or VeraCrypt, seems a possible solution.  You can lock and unlock the volume and even connect and disconnect the target if you want to go that far.  This, too, is limited to a single user at a time.

Message 5 of 6
HSTPC
Aspirant

Re: ReadyNAS Encryption

Thank you. I think the iSCSI method might work and I think I can figure out how to do it 🙂

 

On behalf of our stray and abandoned animal clients, thank you.

 

Steve

Message 6 of 6
Top Contributors
Discussion stats
  • 5 replies
  • 1479 views
  • 0 kudos
  • 3 in conversation
Announcements