0

That's the question really. More out of fun, I reused an older dormant box to be my documents NAS at home. I attached two 2TB external HDDs and set up mirroring RAID. That all went well and I am happy. It's a linux box running Pop-OS.

400Gb data being stored there already.

But now, I got a bit paranoid. All my docs are there. I want to encrypt all data so that if someone would steal the HDDs or something, the data would not be accessible.

Can I do this after I already set it up, or do I need to start from scratch?

Improve this question
6
  • As long as you keep your program for full drive encryption secret, nobody will bother giving / is able to deliver an answer that is valid for all available crypto software.
    – r2d3
    Commented Feb 24, 2022 at 14:41
  • Not sure I understand @r2d3, if you mean what I am going to use to encrypt the drives - I don't know! In fact suggestions appreciated, the question is primarily about if it is possible. My search terms didn't yield responses to what I am looking for...Then, if it is possible, how to do it...
    – unsafe_where_true
    Commented Feb 24, 2022 at 14:44
  • I'm unsure about hardware RAID, but software RAID [ZFS] allows creating a new encrypted dataset alongside non-encrypted datasets, and if you have ~32GB of RAM, you may want to consider using TrueNAS as the NAS OS (TrueNAS is RAM intensive when copying large amounts of data to its shares), otherwise there are Linux distros that support ZFS (software RAID is superior to hardware RAID for a wide variety of reasons]. General FYI: unless using SSDs, encryption will have a large performance impact with mechanical HDDs, so unless actually needed, it's generally not recommended in a non-SSD NAS.
    – JW0914
    Commented Feb 24, 2022 at 16:24
  • @r2d3 - presumably PopOA / Linux and "all data" imply he is planning on using LUKS.
    – davidgo
    Commented Feb 24, 2022 at 18:31
  • 2
    Im not aware that LUKS (Linux full disk encryption ) can encrypt an in-use disk. The easiest solution may be the rebuild the NAS.
    – davidgo
    Commented Feb 24, 2022 at 18:32

1 Answer 1

Reset to default
1

If you want disk level encryption, LUKS is the standard Linux specification you'll need to look into. It works on the partition level so, assuming you can consolidate/repartition your RAID disk, you can set up a new partition that uses LUKS. After rebooting up the computer, you'll need to enter a password every time to unlock the encrypted partitions.

If you want to encrypt individual files manually, you want to look into gnupg and similar single-file encryption tools. These can be very labor intensive. Generally, you need to manually manage the encryption keys used with every file. You'll generally also need to enter a password each time you want to encrypt or decrypt a file.

If you want to have an encrypted directory on your existing partition, eCryptfs is one of many many tools you'll want to look into. eCryptfs will automatically encrypt every file in a directory with gnupg. The user's keyring and logon are used to store/manage encryption keys. There are many other tools that provide slightly different security management schemes. For example, there are tools that encrypt entire directories into one encrypted archive.

Improve this answer
3
  • This sounds like what I want to do. And I am envisioning disk level encryption, so the 1st paragraph. Can you help me understand though if what you are saying is that I'd need to start from scratch? I.e. backup my 400GB of data first, do all the LUKS stuff, then re-upload the data to the RAID? Or would I be able to run some magic command(s) without data loss. I hope I am making myself clear...
    – unsafe_where_true
    Commented Feb 25, 2022 at 0:11
  • 1
    If you want 100% of your Raid volume to be encrypted, you should start from scratch. If you want anything else, you should resize the partitions on your raid volume so you get the relative sizes you are looking for.
    – Andy
    Commented Feb 25, 2022 at 0:13
  • Thanks @Andy, I fully understood now. Much appreciated.
    – unsafe_where_true
    Commented Feb 25, 2022 at 0:33

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .