...stuff I do and things I like...

I've recently build myself a new NAS box based on PC hardware (VIA C7-D) with a 220W power supply. Now I wanted to see how much power this thing actually consumes. For the measurement I bought a Voltcraft Plus ENERGY MONITOR 3000.

The measurements for now are:

~332kWh/year while the thing is idle
~376kWh/year during normal operation (ethernet + disks)

If you take 20cent/1kWh you pay about 75Euro a year for powering this thing.

I don't know why there is no official dm_crypt/cryptsetup support on OpenWrt because if you search the web you will find many people trying to run cryptsetup on OpenWrt. Here is how I made it work (packages to download in the middle of this post).

Getting cryptsetup (userspace part of dm_crypt) to work on OpenWrt requires a whole bunch of tools and libraries these are: libuuid (part of e2fsprogs), libpopt, gettext, libdevmapper (part of lvm2). After one has build all those tools and libs cryptsetup builds nicely and just works. Also every time you run cryptsetup you will get a warning about the missing udevsettle binary but this is not a problem it works anyway. To save you from the hassle of getting cryptsetup to work all by yourself you can download the packages that are not part of OpenWrt from me here: dmcrypt-tools-openwrt.tgz (contains cryptsetup, lvm2, popt and gettext). I know gettext is available in some OpenWrt branches but not in trunk. Just unpack the archive in your OpenWrt package directory, run make menuconfig and select cryptsetup before building it by running make.

Now it would be nice to get cryptsetup into the OpenWrt SVN so that it will just be there in the future.

Why would I run cryptsetup on OpenWrt? Over the weekend I decided that I don't want to run a full blown Linux distribution on my NAS/backup box and rather run a small system. I chose OpenWrt because I'm familiar with it since I spent quite some time hacking on my NAS-4220b before deciding to go x86 for my NAS project.

Yesterday the parts for my new NAS/backup box arrived. As you can see I've stopped looking for an off-the-shelf (embedded) NAS box and decided to build one based on standard PC components.

This is mainly because of cypto acceleration which is not easy to find in embedded NAS boxes. Also many embedded NAS boxes such as the NAS-4220B from RaidSonic (based on gemini design by storelink) or the devices based on the Orion design have crypto acceleration hardware but lack driver support. The gemini crypto driver is designed for ipsec but works with loop AES but no dm_crypt support. The orion kernels don't have crypto support at all.

Back to my new NAS box. I choose a VIA C7-based board since it supports PadLock. PadLock is supported on Linux and FreeBSD (and possible other OSes).

Hardware list:

VIA EPIA-VB7002G (mini-itx.de) 64,- Euro
Morex Venus 669B Case (mini-itx.de) 86,- Euro
1GB Ram 11,- Euro

The total price of 161 Euro is really good for a small home NAS without disks. In this configuration it can hold two SATA disks (and two PATA disks). If you want four SATA disks you will need to buy a PCIe SATA controller (costs between 20-30 Euros). The only drawback is that the device only has 100Mbit Ethernet. Mini-itx boards with Gbit Ethernet cost about double the price (about 120 Euros).

Software wise I will just install a minimal Ubuntu server to a USB flash disk that will server as the system disk. This is so it can spin down the storage disks while this thing is in idle.

About power consumption, the case has a 220W power supply that will, of course, eat more energy then an embedded box but this is the price you have to pay I guess. Also I guess you can find mini-itx cases that have smaller power supplies (tips are welcome).

I already assembled a list of hardware I'm going to buy this year. Of course the list is not complete :-) I really like to get hints for all hardware on my list, thanks!

1) NAS Box (or multiple)

I bought a NAS-4220 in March last year. I wanted to run it as a backup device with raid-1 and crypto. But it turned out that not all of the required software works good enough to be used for backup (a unstable backup system is useless in my opinion). So I'm going to sell it (the actual hardware and default software works just fine).

So I'm looking for a nice NAS box that runs Linux (or can be made to run Linux). The devices based on the Orion SoC look nice. See here. Unfortunately the crypto acceleration is not yet supported. Crypto is thing I really need in hardware as raid-1 works just fine in software on Linux.

2) 802.11n Wifi router that runs OpenWRT

No research done yet besides a brief check on the OpenWRT site. Seems some routers are supported but with out supporting the 802.11n part itself.

3) Internet Radio device for the kitchen

I want something that just works, runs Linux, and is hackable. Needs WiFi. Good looking hardware that is not too big.

4) Gaming Computer

Since 2004 I only own laptops (besides my media center/home server). From time to time I think about playing/buying some games but since non of my laptops can handle current games I will go and buy a gaming computer.

It will need to cost less then 1K Euro (without screen). I'll probably go for a intel E8400 with 4GB ram and a nVidea GTX+ with 512MB. Is this OK for most games this year? I mainly like real-time strategy C&C, WarCraft, StarCraft style games.

5) Android-based mobile phone

I ordered a Kogan Agora Pro in December.

I mainly ordered this one because it is really cheap in comparison with the G1. Looking forward to play with it. It will be interesting to see how the whole android thing goes this year.

6) Media streaming device (something like Apple TV)

I want a device to put audio/video into my living room without the need for a computer (my media center is too noisy after all). I have a Zenega/S100 in my bed room which is really great but can't play high bit rate content.

Over the last weekend I finally managed to setup my RaidSonic NAS-4220B. Now it runs OpenWRT ported by this guy. I only added a few kernel options (cryptoloop, md, and raid1) and added the mdadm utility (raid config utility). You probably ask why I use cryptoloop and not dm_crypt. The box has hardware acceleration for AES but this is only implemented for IPSEC and LOOPAES. So now I run LOOPAES on top of RAID1. The performance is not very good but this is due to my tests using scp to copy files to and from the NAS. I only get 1.1MB/s. CPU is maxed out on the NAS while the copy process is running. Since the box will be doing automated backups over a DSL line this is fast enough (faster than the downstream of the DSL line).

Some notes: I have two 500GB disks in the box, when I tryed to create a ext2 file system on the disk I got an out of memory error from mke2fs. This is due to the fact that the NAS-4220 really runs low on memory (10M free). The easiest fix was to hook up a USB disk and use that for swap space just until the file system is created :-)

I'm not completely done yet with the setup lets see what other surprises there are for me.

another bug I found in the software of the NAS-4220-B is that you can use telnet to login to the NAS-4220-B as root without being ask for as password. This is possible right after boot of the device. The problem seems to originate from the fact that the software puts together the filesystem in ram during boot. The actual bug is that telnetd is started before /etc/passwd is populated with a root account that has a password set.

[1] raidsonic nas4220 disk crypt key leak

Found while playing with my NAS-4220-B last Sunday. RaidSonic didn't answer my emails so here you go.

--- BEGIN ADVISORY ---

Manufacturer: RaidSonic (www.raidsonic.de)
Device:       NAS-4220-B
Firmware:     2.6.0-n(2007-10-11)
Device Type:  end user grade NAS box
OS:           Linux 2.6.15
Architecture: ARM 
Designed by:  Storm Semiconductor Inc (www.storlinksemi.com)


Problem: 
 Hard disk encryption key stored in plain on unencrypted partition.


Time line:
 Found: 09. March 2008
 Reported: 09. March 2008
 Disclosed: 16. March 2008 


Summary:
 The NAS-4220-B offers disk encryption through it's web interface. The key
 used for encrypting the disk(s) is stored on a unencrypted partition.
 Therefore one can extract the encryption key by removing the disk from
 the NAS and reading the value from the unencrypted partition. The key
 itself is stored in a file in plain (base64 encoded). Therefore the 
 NAS-4220 crypt disk support can not be considered secure.


Details:
 The NAS-4220-B can hold two SATA disks. Disk are encrypted through a 
 loop back device using AES128. The problem came to my attention when
 I could access the NAS after reboot without suppling the hard disk key.
 
 The key is stored in /system/.crypt, "/system" is a small configuration 
 partition on the same disk that holds the encrypted partition. The system
 partition is created by the system software running on the NAS-4220. The
 configuration partition of the second hard disk is not mounted by default
 but also contains the .crypt file holding the key for the encrypted 
 partition on the same disk.


 Accessing the key (key value is the example I used):
  $ cat /system/.crypt
  MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=
 
  key in plain           key in base64
  12345678901234567890   MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=


 Base64 decode:
  #!/usr/bin/python
  from base64 import *
  print b64decode("MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=")


Reported by:
 Collin Mulliner 

--- END ADVISORY ---

raidsonic_nas4220_crypt_disk_key_leak_09Mar2008.txt