I own a small Intel Qnap NAS, i wanted to have a form of "security at rest". I tried with the folder and volume encryption but the support to aes-ni is not implemented directly and therefore is slooooooooow and sluggish.
Then i discovered SED disks (wikipedia) that through the logic present -inside- the disk does a pretty decent job, not killing performances.
The documentation is obviously ominous, scarce and missing most of things.
I hereby suggest to use sed drives as non boot disks, so you can login to the NAS and enable them. Then store everything on the sed drives (applications included)
Soon i will add a guide describing how to work with Qnap and bootable SED drives
If someone is able to connect to the disks to another machine without detaching the power, it can read the data. If you want something more paranoid encrypt the folders too.
DO NOT STORE THE KEYS ON THE NAS, NEVER. This way when the NAS reboot you will have to go to the web interface and insert manually the login (for non boot drives).
Please be first aware that only disks supporting OPAL are supported. Just to give an example
Others like the Seagate EXOS does support only ENTERPRISE SED
You can check the capablities of your disk with
sedutil-cli --scan
The result would be like the following
Scanning for Opal compliant disks
/dev/sda 2 Samsung 870 QVO 8TB 2B7QCXE7
/dev/sdb No Crucial_CT250MX200SSD1 MU04
/dev/sdc E WD Ultrastar H550 16TB 0001SDM7
/dev/sdd 12 Unknown 0001SDM7
No more disks present ending scan.
Here we see that the WD has only Enterprise support(E), the Samsung supports Opal 2.0 (2) and the Crucial...nothing. The unknown supports Opal 1 and 2
Now at every restart you will have to unlock the volume :)
Now at every restart you will have to unlock the volume :)
To be tested :)