Support disk encryption of /DataVolume partition

Status: Unplanned
by on ‎01-31-2011 11:51 AM - last edited on ‎09-06-2011 11:05 AM by Community Manager Community Manager

 

Hello,

 

I would like to suggest that with the next firmware update, the Linux kernel inside the WD Mybook Live should include the non-hardware related modules such as encryption and loopback device modules which are available by default on normal Linux systems.

 

My goal is to encrypt the /DataVolume volume using the built-in Linux 2.6 full disk encryption and provide a way to unlock the volume once after boot. For me personally, a SSH login would suffice (using libpam-mount), but for most people, providing a way via e.g. WD Quick View would of course be more user friendly.

 

This way, all data is readable after unlocking it once, but becomes inaccessible once the device loses power (and has to be unlocked again). The Linux 2.6 crypto API provides ways to unlock using multiple passwords, so each user could (theoretically) use his own password to unlock the drive.

 

I have exactly this set up running in a G4 Mac Mini running Ubuntu, which was my former backup server, but this machine is limited to 250G of storage, and I would LOVE to see WD NAS disk encryption get enabled, with the low power usage it has it would be my definite future backup disk!

 

 

Status: Unplanned
Comments
by on ‎02-01-2011 01:19 AM

We do ned a secure NAS drive !

by Staff on ‎03-07-2011 08:50 AM
Status changed to: Acknowledged
There are business reasons behind not putting encryption in.
by Staff on ‎03-07-2011 11:27 AM
Status changed to: Unplanned
 
by on ‎03-20-2011 07:57 PM

Hopefully posting this isn't thoroughly out of order. Following this suggestion probably voids your warranty.

 

I strongly suspect this is possible for an end user. The source code is available, and a guide on installing a crosscompiler is available on a wiki that I probably shouldn't link to. Using this I have built a loop.ko module, installed it, and now have encfs working beautifully on a my book live.That provides an encrypted folder, but not an entire partition.

 

Whole partition encryption is slightly different, and it's (considerably) inconvenient that the default settings use a 64kB block size for the ext4 DataVolume. If you're willing to reformat the DataVolume partition (I'll be testing this shortly, but haven't yet) and build a suitable module then whole partition encryption, unlocked over ssh, is well within reach.

by on ‎03-31-2011 11:31 AM

@WDTony,

are those business reasons legally motivated (not being able to sell devices which support encryption in some countries)?

 

@Jonj678,

 

how is your progress regarding encrypting the /DataVolume partition?

Also, how do WD's custom made scripts cope with such changes, ie. if /DataVolume cannot be mounted during boot, will it be reformatted automatically?

 

If I can SSH into the box and follow instructions like these

https://we.riseup.net/debian/automatically-mount-encrypted-home

(of course, adapted for /DataVolume instead of /home), then I am happy.

 

I tried doing this but failed (because I could not get the cross compiling kit to run), and thus returned my MyBook Live to Amazon.

 

Also, I'd like to know whether the Linux kernel uses the ARM CPU's AES hardware supports. This would make using dm_crypt and similar modules really fast.

 

Regards

by on ‎04-02-2011 05:25 PM

I'd be interested to know whether the AES is hardware accelerated or not, but I do not know how to find out. Any hints would be appreciated :smileyhappy:

 

The restory to factory settings scripts reformat /DataVolume. At some point xfs must have been considered, as that's commented out, but the weird blocksize is passed in the script. Changing to ext3 and bs=4k would be very simple if running a factory restore, otherwise one can just reformat it. I haven't but some other people have had success with parted (resizing partitions in particular).

 

You certainly can ssh into the box. I can't persuade it to compile modules locally, but have got a crosscompiler running as advised on a wiki. The required dm-mod, dm-crypt, cryptoloop compile and insert with no bother, and the device is then quite happy creating an encrypted volume on loopback. I'm certain it'll encrypt /dev/sda4 quite happily once I find the enthusiasm to pull all the data off, reformat, and push the data back on.

 

Cheers

Announcements
Please click on News and Announcements for the latest announcements.

For a list of our Idea Exchanges, please click here.

Idea Statuses explained here.
Idea Statuses
Top Kudoed Authors
User Kudos Count
9
4
3
3
3
Forums | Ideas | News and Announcements | Register | Sign in | Help | Forum Guidelines
Copyright © 2001 - 2014 Western Digital Technologies, Inc. All rights reserved. | Trademarks | Privacy | Community Terms of Service | Site Terms of Use | Copyright | Contact WD