I was wondering if there was a way to do full disk encryption for the cloud. Specifically, have all my data stored in an encrypted form and decrypted/re-encrypted on the fly as it is being accessed. Is that even possible? The idea being that if data is stored encrypted, even if the network is compromised, my data is more or less safe. I guess the caveat is that the key would have to be stored on the computer accessing the drive and not on the drive itself?
Would like to hear how some of your have handle this as I am a little uncomfortable (perhaps unnecessarily so, in which case I would also like to understand why I need not worry) having data in plain form on the drive which is connected to the www.
Some considerations which would help streamline the discussion:
- I’m reluctant to use veracrypt (or the like) to create a 8tb container as the encryption/decryption would be a painfully long and troublesome process.
- My network is already protected by the necessary safeguards e.g. build in firewall, strong password, unneeded ports closed etc
- I’m in a mixed ecosystem (windows and mac) so solutions would need to be compatible with both
- Price - free is best but low is good too
Thanks!
It requires some knowledge since wdmycloud has no native HDD.
wdmycloud native OS is Linux (modified by WD but still Linux), and so in theory you can use many Linux applications.
Either you do it youself to compile and install the app, or use apt-get with some repository to install an app. Search the forum for some methods.
There are 2 easy options I played with sometime ago:
-
install and use LUKS (Linux unified key setup): cryptsetup / cryptsetup · GitLab
Read the user guide and search the web for setup and tutorial.
you will access the drive by logging in via ssh.
mount the encrypted volume, transfer files, and unmount the volume (or keep them permanently mounted).
plan a strategy for backup (more than once, at least one off site).
If you lose the passphrase you are screwed. No way to recover anything. So you need a security strategy here as well.
You need to access the encrypted volume remotely as well. You will need to use ssh (or some other method, none available
by default or you have to configure yourself).
Easiest one is SSH to connect remotely to your NAS since it is native to wdmycloud. You will need to configure the server on the NAS to encrypt
the logging and use encryption key. Again if you lose the key you are screwed. Plan a strategy here for safely saving keys.
Maybe a titanium USB dongle around your neck 
You will need to be a fairly competent Linux user. Just read Linux documentation and play with it before attempting anything at all.
DO NOT LEARN ON YOUR NAS. USE A PC OR LAPTOP. YOU CAN EVEN PUT LINUX ON A USB DONGLE AND BOOT FROM THAT TO LEARN.
This works with any ssh client from any other operating system.
-
this is fairly easier. use sshfs: GitHub - libfuse/sshfs: A network filesystem client to connect to SSH servers
everything I said in point 1 about ssh applies here as well.
this is also portable among all operating system that support ssh protocols.
For MAC ssh is native and you only need to generate secure keys (you must use the same key among all operating systems or you are screwed).
For Windows there are many clients you can use such as putty. My personal preferences are WinSCP, and Bitvise.
In all points you need to be comfortable using and configuring ssh and basic Linux shell commands and possibly basic shell scripting.
Remember that tinkering with any device increases the possibility of bricking it but the rewards are worth it (if you can recover it or afford another one)
You also need to know how to secure your router and understand it.
in All methods enable logging, learn how to read them, and review the logs daily.
Always test your backups and make sure they are working, otherwise you lose the lots when you least expect it.
Always secure your laptop as well and encrypt it too if possible.
Never leave passphrases or encryptions key on your laptop or PC.
it is easy to go over the top, but depends on what you are storing and how important they are.
Finally, these are the most basic, secure, feasible methods that any user can do (provided you put some efforts), there are others.
Maybe you are better off using a dedicated NAS with HDD encryption.
Excuse my English and grammar, it is not my native language.
FORGOT to add: logging into your NAS via SSH and modifying the OS may invalidate your warranty. Use at your own risk.
Oh one more thing, HDD encryption will impact read/write transfer.
