Hi everyone, I have a RNDP4000 NAS unit with 4 WD 3 TB disks each and firmware 4.2.31 version.Before I upgrade to the OS6.x version (because I would like to have the encryption feature) I wanted to ask you how safe I can think of a protected iSCSI LUN with CHAP protection (with a strong 16-character password) in case someone steals my Netgear NAS. Thanks. Bob
Model: RNDP4000 (ReadyNAS Pro 4)|ReadyNAS® Pro 4 System Diskless|EOL
Re: How safe can be a iSCSI LUN with CHAP security
Although I don't use the iSCSI LUN feature myself, I believe that that CHAP authentication might not be enough to protect against theft. It does authenticate the initiator (and optionally the target). But since the thief has direct access to the LUN container, he might still be able to extract your data without using an initiator.
Since the LUN is block storage and is formatted by the client, you should be able to encrypt the LUN itself. That would block direct data extraction (and any initiator would also need to know the encryption key). You could combine that with CHAP.
Before I upgrade to the OS6.x version (because I would like to have the encryption feature)
IMO this feature has limited value, because you need to keep a thumb drive with the encryption key near or in the NAS. The thief likely will steal the key also, and could figure out what it is for. At least you should assume that he will.
Operationally, you need to insert that key whenever you boot the NAS. That includes cases where the NAS is rebooted when you install the firmware and when power is restored after a power loss.
Re: How safe can be a iSCSI LUN with CHAP security
I put critical personal files in a VeraCrypt container on the NAS. I run Veracrypt on the PC, not the NAS. Also, unless you are content with incredibly sluggish writes, put VeraCrypt containers in a volume with strict sync disabled.
A BitLocker encrypted VHD or VHDX virtual drive can also be used if you have Windows Pro. Strict sync doesn't bother it.
