[Samba] LUKS (disk encryption) and samba shares --no issue, just want advice.

Thu May 12 14:48:36 UTC 2022

On 5/10/2022 4:39 PM, David Christensen via samba wrote:
> On 5/10/22 10:06, John Ericsson via samba wrote:
>> We have been audited and failed :-(
>> We need to have disk encryption *at rest* on all devices holding 
>> personal
>> data, including our samba servers.
>>
>> We have two disk (one for OS (/) and one mounted for the shares (eg 
>> /samba))
>> All the shares under  /samba must be encrypted.
>>
>> We can either encrypt the OS and mount "/samba" with a decryption 
>> password.
>> So on startup we get a prompt before it properly  boots and that 
>> decrypts
>> the OS, and in turn the decryption password will be stored within "/" 
>> and
>> used to decrypt "/samba".
>>
>> Alternatively we only encrypt the  /samba. disk, and we have to SSH into
>> the server and manually type in the password every time it reboots 
>> (that is
>> not an issue for us). However of course on startup samba will try to 
>> shares
>> files that are not yet decrypted.
>>
>> Any thoughts?
>
>
> If your drives are self-encrypting drives (SED) and your computer 
> firmware supports SED, set passwords on the SED's and you are done.
>
>
> If your drives are not SED but your computer supports SED, consider 
> replacing your drives with SED and cloning the data.
>
>
> If you computer does not support SED, consider replacing the computer.
>
>
> I build software encrypted (e.g. non-SED) storage servers as follows:
>
> - Use the installer to build the OS drive:
>
>   - /boot is unencrypted (required to boot the system)
>
>   - swap is encrypted with a random key, created and used by the 
> bootloader each time the system is booted.
>
>   - Root uses a passphrase, entered by an operator at the console when 
> the system is booted.
>
> - Create a data drive encryption key file at /root/datadrive.key with 
> owner=root, group=root, and mode=0400.
>
> - Create one large partition on each data drive.
>
> - Encrypt each data partition using /root/datadrive.key.
>
> - Add encrypted data partitions to a ZFS pool in mirrored pairs.
>
>
> David
>
>
Which audit/compliance framework required encrypting server drives ?  I 
understand encrypting drives in laptops since those get lost or stolen 
frequently.  Servers are typically kept in locked rooms so the risk of 
physical theft is much lower.     From an availability perspective, it 
seems like  requiring a boot up password on a server creates a new set 
of problems with ensuring high availability, especially if you are 
running virtual machines and the underlying harddrives require a 
password.        Side note -  I have found that ZFS on Linux seems to 
impose a performance hit  compared to XFS  or ext4 even with out 
encryption.     I suspect it is something to do with how it is ported 
from Solaris.