I had ~60GB going spare on my #RaspberryPi so figured I may as well make the most of it and set up #Samba for file sharing across my LAN. I'm allowing access only from mine and my partner's IPs (which are bound to our MACs) but I'm concerned the share isn't encrypted, so anyone could just walk up to the Pi and take out the SD. Any suggestions for securing shares?
Create an encrypted LUKS container and mount that on your filesystem and then share that through Samba?
This problem isn't related to Samba afaik as it won't be encrypted unless you use FDE/LUKS for your OS/data.
My first thought was LUKS or Veracrypt (I prefer the latter), but I wonder how that would affect quick and easy mounting on our devices (my partner has little patience for anything that isn't one or two clicks)
There's normally a trade-off between (extra) security and convenience. What is an acceptable trade-off for you (and your partner) is something only you can decide.
Also keep in mind that SDcards are a very poor choice for data storage, especially if there are frequent writes. I guess for Read-Only access it would be fine.
I use large capacity SDcards for just the OS and the data it needs to operate. Because of the large capacity, it won't have to overwrite blocks that often and thus won't wear down the SD card too soon.
Yeah I know SDs aren't ideal. However, it won't be used much at all, so I don't think it would degrade much, at least not for a long time. I have a spare 1TB HDD which I could use for storage, but feel like that's maybe overkill as 95% would probably go unused.
It also depends on the quality of the SD card. But in any case, make sure that the data you put on there, is also stored/backed up on another (non-SD-card) device as it can break at any moment. And you're not getting f.e. SMART errors/warnings that can prepare you for disaster.
Yeah, this would just be used for easier sharing rather than proper backups. I have my own system for backups: Rclone encrypted backups to an offsite VPS and Rsync to Veracrypt containers for an SSD and SD used only for backups.
@syntax cryptomator is an option
Thanks, I'll look into it. Haven't tried it before.
@syntax I would use VeraCrypt, you can benchmark it on the PI but any low-grade encryption should be good enough without noticing any large speed degradation. AES-256 is lightning fast, and while not the most secure it's enough for another layer. Cryptomator could also work if you don't have much experience with VeraCrypt.
Thanks. I'm familiar with Veracrypt as I use it for my own backups. But I went with a LUKS container on the Pi. I've left it unlocked on the Pi so it can be mounted easily on our devices. Works well with my Debian system but I'm yet to test my partner's Mac.
@nikolal Yeah I think if I was going to be using mine more often for backups, larger files etc., I would plug in an SSD, but mine is just for occasional use. For example, sharing smaller files with a few clicks instead of looking for spare USBs etc. Also, I have the LUKS container so we have the option of centralising some of the more important/sensitive docs.
@syntax Did you consider setting up smb folder as temporary besides LUKS? Something like /tmp? I think it might be useful if you are lazy to delete data.
Good idea for temp shares etc but the Pi stays on 24/7 so I just have a persistent 'Public' smb share, and inside of that other folders including the (unlocked) 'Encrypted' LUKS folder.