Follow

I had ~60GB going spare on my so figured I may as well make the most of it and set up for file sharing across my LAN. I'm allowing access only from mine and my partner's IPs (which are bound to our MACs) but I'm concerned the share isn't encrypted, so anyone could just walk up to the Pi and take out the SD. Any suggestions for securing shares?

Β· Β· Fedilab Β· 4 Β· 0 Β· 2

@syntax
Create an encrypted LUKS container and mount that on your filesystem and then share that through Samba?

This problem isn't related to Samba afaik as it won't be encrypted unless you use FDE/LUKS for your OS/data.

@FreePietje
My first thought was LUKS or Veracrypt (I prefer the latter), but I wonder how that would affect quick and easy mounting on our devices (my partner has little patience for anything that isn't one or two clicks)

@syntax
There's normally a trade-off between (extra) security and convenience. What is an acceptable trade-off for you (and your partner) is something only you can decide.

@syntax
Also keep in mind that SDcards are a very poor choice for data storage, especially if there are frequent writes. I guess for Read-Only access it would be fine.
I use large capacity SDcards for just the OS and the data it needs to operate. Because of the large capacity, it won't have to overwrite blocks that often and thus won't wear down the SD card too soon.

@FreePietje
Yeah I know SDs aren't ideal. However, it won't be used much at all, so I don't think it would degrade much, at least not for a long time. I have a spare 1TB HDD which I could use for storage, but feel like that's maybe overkill as 95% would probably go unused.

@syntax
It also depends on the quality of the SD card. But in any case, make sure that the data you put on there, is also stored/backed up on another (non-SD-card) device as it can break at any moment. And you're not getting f.e. SMART errors/warnings that can prepare you for disaster.

@FreePietje
Yeah, this would just be used for easier sharing rather than proper backups. I have my own system for backups: Rclone encrypted backups to an offsite VPS and Rsync to Veracrypt containers for an SSD and SD used only for backups.

@syntax I would use VeraCrypt, you can benchmark it on the PI but any low-grade encryption should be good enough without noticing any large speed degradation. AES-256 is lightning fast, and while not the most secure it's enough for another layer. Cryptomator could also work if you don't have much experience with VeraCrypt.

@ThreeBadgersInATrenchcoat
Thanks. I'm familiar with Veracrypt as I use it for my own backups. But I went with a LUKS container on the Pi. I've left it unlocked on the Pi so it can be mounted easily on our devices. Works well with my Debian system but I'm yet to test my partner's Mac.

@syntax
Report back please on performance of SD card, I'm thinking of getting SSD and RPi4 but if SD is good I won't chanage it
@ThreeBadgersInATrenchcoat

@nikolal
I've had no issues yet. My Pi 4 runs off a 64GB SD but is only used for Pi-hole and Samba shares. It seems fine to me but I haven't done proper benchmarking or anything. I also just got a Pi Zero W with camera and have it running motionEyeOS.
@ThreeBadgersInATrenchcoat

@syntax My only fear is read/write speed for large files since I plan to host some via Nextcloid or IPFS, I don't know if SD is up to the task.
@ThreeBadgersInATrenchcoat

@nikolal Yeah I think if I was going to be using mine more often for backups, larger files etc., I would plug in an SSD, but mine is just for occasional use. For example, sharing smaller files with a few clicks instead of looking for spare USBs etc. Also, I have the LUKS container so we have the option of centralising some of the more important/sensitive docs.

@syntax Did you consider setting up smb folder as temporary besides LUKS? Something like /tmp? I think it might be useful if you are lazy to delete data.

@nikolal
Good idea for temp shares etc but the Pi stays on 24/7 so I just have a persistent 'Public' smb share, and inside of that other folders including the (unlocked) 'Encrypted' LUKS folder.

Sign in to participate in the conversation
Mastodon πŸ” privacytools.io

Fast, secure and up-to-date instance. PrivacyTools provides knowledge and tools to protect your privacy against global mass surveillance.

Website: privacytools.io
Matrix Chat: chat.privacytools.io
Support us on OpenCollective, many contributions are tax deductible!