From the day I started using my first laptop, I became an only one computer guy.
All data worth keeping was stored on that laptop (and the ones that followed).

I didn’t like the idea of spreading my data over multiple machines like a home computer, an office computer and of course the laptop.
Having your data on only one machine makes backups simple, you always have your data with you, and you never loose control over your data as long as you keep your laptop nearby.

Well, I did diverge a bit from that philosophy and started using Dropbox to share files with colleagues and friends.

There is of course one problem with using only a laptop to store your data: you are pretty limited in your storage size.

I currently have a Retina MacBook Pro with a 512GB SSD drive that I use for my private data (gigabytes of photos and music) and professional development work, and I also have multiple virtual machines for testing and developing our software with different operating systems. So I usually keep on that Macbook only data that I cannot easily reproduce, and happily delete everything else.

Home NAS

Anyhow, I need more storage space and decided to get myself a home NAS system. But that means that I will now have another system that I don’t always have with me, one that might get stolen or be accessed by someone else while I’m not around.

So I need a system that securely encrypts all data at rest, which I can trust to contain no backdoors, and for which security vulnerabilities are timely published and fixed.

Because of the recent NSA revelations and news like Backdoor found in Linksys, Netgear Routers and Lavabit Case Unsealed: FBI Demands Companies Secretly Turn Over Crypto Keys, I don’t trust commercial closed source NAS solutions and went the DIY open source route.

I’d normally only run Linux on my servers, but in this case I’m going to opt for FreeBSD for three reasons:

• Being able to use ZFS as the storage system. While in the Linux world we have Btrfs, it’s not yet considered stable (a coworker of mine experienced data loss first hand). There is also ZFS on Linux, but I’m not sure how stable it is and ZFS on FreeBSD is part of the OS.
• I like the FreeBSD philosophy of developing the whole base operating system in tandem with the kernel.
• I have never used FreeBSD before (aside from OS X) and would like to take the opportunity to get more familiar with it.

Hardware

After doing some research I found the HP ProLiant MicroServer line of servers. They are well-built, really inexpensive little machines.

I opted for the slightly older HP ProLiant MicroServer G7 N54L with 2GB ECC RAM - upgradeable to 16GB. The MicroServer came with a Seagate Barracuda 7200.12 250GB drive and three additional drive slots.

While not having any hardware encryption accelerators (which might have their own problems) it’s a nice and very cheap machine.

I’m getting started with a four-disk setup, which I can later expand to a six-disk setup by installing:

• a 5.25” Bay Extension Frame
• a PCIe SATA card. Those two cards should fit and have the added benefit of two external USB3 ports.

The four-disk setup looks like this:

• MicroServer Bay 1: Operating System - 3.5” 250GB 7200RPM HDD
• MicroServer Bay 2: Operating System - 2.5” 200GB 7200RPM HDD
• MicroServer Bay 3: Data - 3.5” 4TB NAS HDD
• MicroServer Bay 4: Data - 3.5” 4TB NAS HDD

I already had the 2.5” 200GB drive lying around and wanted to reuse it, so I printed a custom 2.5” to 3.5” adapter on our Printrbot. Don’t bother buying a 2.5” to 3.5” mounting frame as it won’t position the 2.5” disk to fit the connector of the drive bay in the MicroServer.

For the 4TB disks, the Seagate ST4000VN000 and WD Red series both seem like good choices.

In case of running low on storage, I’d move the two smaller OS disks to the 5.25” bay and install an additional PCIe SATA card as well as two more 4TB drives.

While the MicroServer could on its own support six drives by using a hacked BIOS, I prefer not to go that way. I want to be able to use the latest original HP BIOS and not have any unexpected problems due to running unsupported code.

So the six-disk setup would look like this:

• 5.25” Bay Extension Slot A: Operating System - 3.5” 250GB 7200RPM HDD
• 5.25” Bay Extension Slot B: Operating System - 2.5” 200GB 7200RPM HDD
• MicroServer Bay 1: Data - 3.5” 4TB NAS HDD
• MicroServer Bay 2: Data - 3.5” 4TB NAS HDD
• MicroServer Bay 3: Data - 3.5” 4TB NAS HDD
• MicroServer Bay 4: Data - 3.5” 4TB NAS HDD

The first thing I’m probably gonna upgrade later is the RAM. Officially the MicroServer N54L only supports 8GB of ECC RAM, but others seem to have no problems with running 16GB ECC as well.

A short word about ECC RAM: while non-ECC RAM would be cheaper and is also supported, don’t use it if you are running ZFS or you might lose your data!

I also bought four different USB sticks from three different brands that will store the bootloader, kernel and keyfiles, but more about that later. The smallest sticks I could get were 8GB, but much smaller ones would have been OK too.

Setup

It’s All About the Software, Baby!

Let’s finally talk about the setup, but first I’d like to note the blog posts that I based this guide on:

• Full Disk Encryption (with ZFS root) for FreeBSD 9.x
• HOWTO: GELI+ZFS for whole system inc. root with boot from USB stick
• FreeBSD ZFS Root Install Script
• HOWTO: FreeBSD ZFS Madness
• FreeBSD Wiki
• ZFS-Only FreeBSD
• Encrypted FreeBSD

I’m probably going to mention the HP ProLiant MicroServer a few times, and some small details might be specific to my setup, but in general this guide should work on most machines.

I’m aware that there are solutions like FreeNAS or Nas4Free, but I prefer setting things up myself and having the latest FreeBSD version.

The Plan

The plan is to have two zpools:

• zroot for the FreeBSD OS installation on the two smaller disks
• zdata the pool I will use for storing my data (the whole reason I’m doing this setup)

Both zroot and zdata will be encrypted using 256-bit AES-XTS with GELI.
There will be no unencrypted data anywhere in the server, but we will create an unencrypted USB stick that contains /boot and the keyfiles that will be part of the passphrase to unlock the encrypted partitions.

The idea is that we create a two-factor-authentication: something you know and something you have.

If you want to boot the server and decrypt the disk contents, you have know your passphrase, as well as have the USB stick.

Without the USB stick or the passphrase, the disks cannot be decrypted. Because of that we will later create multiple backups of the USB stick, so if one gets broken, we have a backup.

Of course you now have the problem of securely storing the USB sticks. But even if an attacker steals the USB stick from you, or you forget to remove it after booting, the server is still protected by the passphrase.

The alternative would be to create a bootable partition on the OS disks and only protect the server with a passphrase. In that case you can just use the standard FreeBSD 10 installer and the automatic ZFS partitioning guide.

So what will the disk layout look like?

I’ll use the two smaller drives in a mirrored configuration for zroot and the two 4TB drives, also in a mirrored configuration, for zdata.
Here is a very good writeup on why it might be a better idea to use zmirror than zraid.

To find out more about the FreeBSD boot process on ZFS, have a look at:

How FreeBSD Boots on ZFS

Part 2

You will be able to find the actual install process in part two of this blog post.