Disk Encryption for a Linux File Server Used by Multiple Devices

Question

I have a Linux server that uses Samba to share a 2TB NTFS drive (which was formerly in an old Windows server) on my home network.

It acts as a file server, and the files are accessed by three home PCs (Linux, Windows 10, and Windows 11) as well as my Android phone.

Some of the data is sensitive, and I would like to encrypt a large portion of the drive in case my home is broken into and the server is stolen.

Is this even possible? If so, where should I start? If not, would it be possible with another OS?

Answer 1

Yes, this is possible. It will require backing up all the data on the drive, re-partitioning and reformatting it, and then restoring the data.

Doing this is a good idea anyway even without encryption because NTFS is not a native linux filesystem and support for it is not great - "barely adequate, mostly works" would be a reasonable summary. If you don't need to directly use the drive with Windows & Linux systems (e.g. Dual Booting, or an external USB drive that is swapped between systems), then don't use NTFS on Linux. i.e. if you're sharing the drive over the network with the Linux machine acting as the file server (e.g. with Samba or NFS) then use a native Linux filesystem.

As for "where to start", the two obvious choices are block-level encryption (e.g. LUKS) which encrypts entire disks or partitions, or filesystem-level encryption (e.g. ZFS - quick-start guide to ZFS encryption) which encrypts as much or as little of the filesystem as you want.

With LUKS, you will need to partition the drive, optionally use LVM as well to create and manage volume groups (VGs) and logical volumes (LVs), configure LUKS for the partition(s) or LVs you want to encrypt, and then format those encrypted partitions with a filesystem, e.g. ext4. You will need to decide in advance how much space you want to allocate to each partition (e.g. encrypted and un-encrypted partitions).

With ZFS, you create a pool using one or more partitions or drives, then create datasets as you need them - a dataset is kind of like a separate mounted filesystem that uses the space available in the pool. By default it can use any amount of the pool so you don't need to decide in advance how much to allocate to each purpose, but quotas and reservations can be set to limit that (and can be changed at any time without repartitioning or reformatting).

The advantage of datasets over directories is that they can each have their own properties, like compression, encryption, record size, etc (e.g. you might want to disable compression on pre-compressed data like video or audio files, or use a recordsize tuned for a database like mysql or postgresql. See man zfsprops for details, including details about encryption properties...BTW, you will see mention of a dedup property. Sounds amazingly useful, but ignore it. It requires far too much RAM to be worth it in any but very specialised use-cases).

The disadvantage is that, like any other separately mounted filesystem, mv-ing a file to another dataset or fs is not a quick rename, it's a a copy-and-delete operation.

Other than that, a dataset works like any other directory. And any individual dataset can be optionally encrypted.

Note that if you use only a single drive or partition with ZFS, it will still be able to detect errors but won't be able to correct them automatically. All other features of ZFS (including transparent compression, snapshots, etc) will still be available. ZFS is easier to set up and administer than LUKS and provides many more features.

Actually, you can get redundancy with the copies=1|2|3 dataset property but at cost of a lot of your storage space (so best to use it only sparingly for small amounts of very important data) and while copies= can correct errors due to bit-rot or read errors, i.e. random file corruption, it won't help if the drive dies. Also worth noting: if you use encryption on a dataset, you can only use copies=1 (the default) or copies=2. And, as always, RAID and raid-like filesystems such as ZFS are not a substitute for regular backups.

---

One of the reasons I mention both ZFS and ext4 here is that both of them support case-insensitive filenames for some or all of the filesystem, which is useful if you need to share files with both Linux and Windows.

For ext4, you can enable "case folding" on a directory with chattr +F directory/.

For ZFS, you can enable case-insensitivity on a dataset with zfs set casesensitivity=insensitive pool/dataset (I use this on the datasets I created for my Steam + Proton games because windows game devs aren't always consistent with upper and lower case in filenames because it doesn't matter in Windows).

---

BTW, if you configure either LUKS or ZFS to load the encryption key(s) from, say, a USB flash drive then that is likely to be stolen along with the system if you leave it plugged in for convenience. So, get into the habit of only bringing out the key when you reboot, and store it somewhere safe at all other times. Preferably keep several copies of the keys in different secure locations (e.g. with trusted friends or family. or stored securely by your bank or lawyer), because if you lose that key, you lose all the encrypted data.

Or just use an easily-remembered passphrase that you type in at boot. Store a written copy in a safe or something in case you forget it.

Answer 2

In addition to the answer from cas, if you want to store encrypted and not-encrypted files on your 2TB drive, you can consider using eCryptfs to encrypt one or more directories.

Once you will have created the encrypted directory, you will be able to share the whole drive with Samba, and add another Samba share for the decrypted directory so that the other systems can add files. You'll have to connect to your server and enter the passphrase after every reboot. I never tried to store the passphrase on another storage as suggested at the end of the answer from cas.

See the Arch Wiki for a detailed guide of the setup: https://wiki.archlinux.org/title/ECryptfs#Manual_setup

Answer 3

If the data is particularly sensitive, you may want to consider decrypting it client-side only when you need to access it. This reduces chances of malware copying the data.

VeraCrypt can store an encrypted filesystem in a file, which you can put on an SMB share. But it can only be mounted on one system at a time.

An alternative is to setup eCryptfs on the server and share the decrypted data over SMB. But if it is always mounted, the end result is similar to an encrypted volume - safe against physical attack, but no protection against software attacks. A better alternative would be to use e.g. SSH to open the encrypted volume only when required.

Answer 4

I have a Linux server that uses Samba to share...

ok, if you said I have a Windows server than pffft...

a 2TB NTFS drive (which was formerly in an old Windows server)

bad; reformat that disk from NTFS (or a new one) to either XFS or EXT4 and use LUKS encryption on it. Using ntfs-3g in Linux to access the windows proprietary ntfs file system while I give the ntfs-3g developers credit for making it work as well as it does it's not a good idea for data reliability, nor will you be able to do partition encryption with LUKS2 and there are shortcomings and problems in the long run.

It acts as a file server, and the files are accessed by three home PCs (Linux, Windows 10, and Windows 11) as well as my Android phone. Some of the data is sensitive, and I would like to encrypt... Is this even possible? If so, where should I start? If not, would it be possible with another OS?

my recommendation (because I do this with Redhat) is use Rocky Linux the free version of redhat everything is basically the same. You didn't mention which Linux OS you're using now but this should also apply: in doing a clean install from an iso Rocky-9.6-x86_64-dvd.iso (or later version) https://rockylinux.org/download you would do this partition scheme it can be this simple:

/boot         1gb   XFS   no encryption
/boot/efi   100mb   FAT   no encryption
/            max    XFS   encrypted

It will prompt you for an encryption passphrase that you will enter each time the computer boots to unlock the encrypted root partition; so all data that matters is encrpyted; if you wish to have like a /data1 folder purposely not encrypted and an /data2 folder that is encrypted with / not encrypted you can easily do that too - I won't elaborate on the pro's/con's of that.

But simply having all of / encrypted then samba sharing out any folder under root such as /home/ or /data is then trivial and is simply specified in /etc/samba/smb.conf. Or in /etc/exports.

in case my home is broken into and the server is stolen

you can set this up with the encryption passphrase stored on a usb disk or other means to alleviate you from typing the encryption passphrase whenever the disk is booted but then I would then just steal that usb stick along with your pc (because you'll leave it plugged in or near the pc) and all your encryption efforts are for nought. so the simplest/easiest is to just an {easy} passphrase which protects the accessing of the / partition all the time which contains the data to where there's never a worry about theft/access of sensitive data.

how you then share that out on your network (wifi?) is another matter - set up smb.conf and/or /etc/exports properly.

I don't know the command line commands for LUKS2 to manually encrypt a partition after Linux has been installed, but that should be easily searchable on the web. So you could go buy an economical second disk, mount it, format it with a Linux partition such as XFS or EXT4, then manually encrypt it, then copy your data off your old ntfs [mounted] disk to this new encrpyted disk... then reformat the ntfs disk as XFS, encrypt that and mount that as /backup for example.