Difference between revisions of "Encryption, NTFS Support, and Windows Share Management"
m (1 revision(s))
Revision as of 17:05, 10 November 2007
This little hack opens up a lot of new possibilities and is really just a simple procedure that can be performed on an unmodified TeraStation (or any network drive for that matter). In working on the Samba script, it occured to me that all my data was sitting there on the TeraStation, ripe for the plucking for anyone who gained physical access to the drive since there is practically nothing done to secure the file system. Yes, you can use the TeraStation's crippled web interface to manage a simplistic set of network credentials, but that's as far as security on this thing extends.
So, here are the tasks I set out to accomplish:
- Encrypt and secure the data.
- Use NTFS for the file system.
- Access the drive as a local disk so that I could expose and manage shares using Windows.
Since this procedure exposes the network drive as a local disk to Windows, you can manage it in a domain environment by managing the PC that becomes the owner for the disk.
Here's the procedure for what you need to do:
- Go to http://www.truecrypt.org/ to download and install TrueCrypt.
- Move everything off of your TeraStation. Yes, I know this can be painful.
- Expose only a single share on your TeraStation and secure it with an appropriate user account.
- Make sure you can connect to the share from Windows.
- Use TrueCrypt to create a ~1TB volume file on the share or whatever size you'd like to allocate to encrypted space. Use whatever level of TrueCrypt security settings you like for securing your data (key file, password, nothing, etc.). Let TrueCrypt format the volume NTFS.
- Now, you can either sit there and wait on it to format ~1TB over the network (I did, it's more secure), or if you don't have two days to kill, then just cut off the network connection to the TeraStation (i.e. pull the plug or disable your Windows NIC used to talk to it). TrueCrypt will complain that the volume disappeared. No problem, just close down the dialog and reboot your TeraStation.
- Once your TeraStation comes back up, you now have a ~1TB file sitting out there just waiting to be mounted. Fire up TrueCrypt and mount that file to a drive letter. If you aborted the format in the previous step, you'll need to quick format the drive: format /q /fs:ntfs <letter>:
- You should now have a 1TB NTFS disk to use and abuse as you would any local drive.
One caveat is that if you expose any network shares, lanmanserver won't see them unless you restart it after the TrueCrypt drive holding the data is mounted. So, I recommend creating a simple batch file in your Startup folder to mount the drive using TrueCrypt and then restart your Server services:
set TC="%ProgramFiles%\TrueCrypt\TrueCrypt.exe" %TC% /q /l s /v \\Server\Share\File.tc /k <keyfile> /p <password> net /y stop lanmanserver net start Browser
Or, add this to a computer or user startup script. Don't forget that Windows Server editions have additional services you need to start up after resetting lanmanserver (like DFS).
TrueCrypt is also available for Linux, but currently it can only mount shares not create them. If you're using your TeraStation with a Linux box, you'll need to have a Windows install handy to create the initial image file. Otherwise, I could have much more easily logged in to the TeraStation and done the format from the shell.
--Aaron 21:28, 4 April 2006 (CEST)