samba - May 2022 - LUKS (disk encryption) and samba shares --no issue, just want advice.

We have been audited and failed :-(
We need to have disk encryption *at rest* on all devices holding personal
data, including our samba servers.

We have two disk (one for OS (/) and one mounted for the shares (eg /samba))
All the shares under  /samba must be encrypted.

We can either encrypt the OS and mount "/samba" with a decryption
password.
So on startup we get a prompt before it properly  boots and that decrypts
the OS, and in turn the decryption password will be stored within "/"
and
used to decrypt "/samba".

Alternatively we only encrypt the  /samba. disk, and we have to SSH into
the server and manually type in the password every time it reboots (that is
not an issue for us). However of course on startup samba will try to shares
files that are not yet decrypted.

Any thoughts?

On Tue, May 10, 2022 at 06:06:50PM +0100, John Ericsson via samba
wrote:
>We have been audited and failed :-(
>We need to have disk encryption *at rest* on all devices holding personal
>data, including our samba servers.
>
>We have two disk (one for OS (/) and one mounted for the shares (eg /samba))
>All the shares under  /samba must be encrypted.
>
>We can either encrypt the OS and mount "/samba" with a decryption
password.
>So on startup we get a prompt before it properly  boots and that decrypts
>the OS, and in turn the decryption password will be stored within
"/" and
>used to decrypt "/samba".
>
>Alternatively we only encrypt the  /samba. disk, and we have to SSH into
>the server and manually type in the password every time it reboots (that is
>not an issue for us). However of course on startup samba will try to shares
>files that are not yet decrypted.
>
>Any thoughts?
Both work, but if you want to go the second route you could
(via systemd) make the Samba service dependent on something
that waits for you to enter the password for the /samba
disk.

Probably easier to just encrypt all drives attached to the
system though (it's what I do at home).

On 5/10/22 10:06, John Ericsson via samba wrote:
> We have been audited and failed :-(
> We need to have disk encryption *at rest* on all devices holding personal
> data, including our samba servers.
> 
> We have two disk (one for OS (/) and one mounted for the shares (eg
/samba))
> All the shares under  /samba must be encrypted.
> 
> We can either encrypt the OS and mount "/samba" with a decryption
password.
> So on startup we get a prompt before it properly  boots and that decrypts
> the OS, and in turn the decryption password will be stored within
"/" and
> used to decrypt "/samba".
> 
> Alternatively we only encrypt the  /samba. disk, and we have to SSH into
> the server and manually type in the password every time it reboots (that is
> not an issue for us). However of course on startup samba will try to shares
> files that are not yet decrypted.
> 
> Any thoughts?

If your drives are self-encrypting drives (SED) and your computer 
firmware supports SED, set passwords on the SED's and you are done.


If your drives are not SED but your computer supports SED, consider 
replacing your drives with SED and cloning the data.


If you computer does not support SED, consider replacing the computer.


I build software encrypted (e.g. non-SED) storage servers as follows:

- Use the installer to build the OS drive:

   - /boot is unencrypted (required to boot the system)

   - swap is encrypted with a random key, created and used by the 
bootloader each time the system is booted.

   - Root uses a passphrase, entered by an operator at the console when 
the system is booted.

- Create a data drive encryption key file at /root/datadrive.key with 
owner=root, group=root, and mode=0400.

- Create one large partition on each data drive.

- Encrypt each data partition using /root/datadrive.key.

- Add encrypted data partitions to a ZFS pool in mirrored pairs.


David