I plan on using an external SSD for storing data on there.
The WebUI weirdly tries to move all data there, instead of just formatting and mounting it.
This means that there is no easy option to boot the device, ssh / login to it and then mount a LUKS2 encrypted drive manually.
Is there any support for encrypted drives?
This would be my only unencrypted drive in the house, and storing like all media there sounds pretty scary.
Workarounds
I think Nextcloud could be used, with different user accounts? Does this encrypt locally?
It would be overhead over a simple SMB or other file share.
Also there is an advanced fileshare option.
Problem
I use 1 antenna (wifi 1) and nobody gets access to the normal network, all are in guest.
If you have access to the main net, this is the barrier, additional encryption is not needed.
So I would really just want local disk encryption, otherwise for example having the router in a shared flat and going on vacation wouldnt be safe. Or the classic police raid.
Don’t use the WebUI, create the LUKS container and format manually using the CLI.
You also need to enable the “Encrypted Storage” package in reForis.
You will have to manually unlock and mount the drive after each reboot however.
So I would really just want local disk encryption, otherwise for example having the router in a shared flat and going on vacation wouldnt be safe. Or the classic police raid.
Nothing will protect you from this if the router is running with the disk decrypted while you’re absent.
SATA is standard, reading keys from a random SOC is not. so the protection really is that they would need people with specialized hardware that extract the key while the device is running.
Pulling the device out would wipe RAM and encrypt the disk