usb key for encrypted zfs hdd
-
@nollipfsense where did you see that he used a secured USB key. In step 3 he creates a key file, in step 4 he finds the USB with lsblk, and in step 5 copies the key file in the USB. After that he creates the script that searches for the USB on boot. After that the USB is not referred at all. So I don't think that he uses a secure USB, just a simple USB key.
Also about reporting back I might or I might not. After all my scenario does not have a valid use case and is not making sense.
Anyway thanks for the answers
-
@ovidius said in usb key for encrypted zfs hdd:
After all my scenario does not have a valid use case
Preventing a vpn connection by keeping the pfsense from booting because the hdd is encrypted an needs a password to boot is the crazies solution to a very simple problem that is for sure.
If you don't want site B to connect to site A via vpn - then just deny it at site A with a click..
But you have fun..
-
@johnpoz man you just continue. Have you even read the big post I sent with the requirements? I can't deny it from HQ. I have to have communication lines always open. The cutting off must be done by the user on point B and the machine has to be made unusable. So instead of be stubborn and just ridiculing someone you don't know try to be helpful and give an answer along the requirements given. If you can't offer anything at least don't sabotage the conversation with unneeded comments like this one. Unfortunately some of us have requirements on how to do some things that don't coincide with the common wisdom or common practice. So we need something out of the box. If you have something to offer it will be welcomed. Otherwise please don't prevent someone with an idea to help by posting only your opinions that what we are doing is wrong. Thank you
-
Is the encryption actually necessary here or are you simply using that prevent it booting without the key?
You could otherwise do something like set the machine to only boot from USB and then have a bootloader on the USB drive that references the main drive.
-
@stephenw10 the requirement is not to just prevent the boot without the key. The requirement is the device to be made totally unusable if stolen or lost. If I use the solution you are proposing even if the system will not boot without the key, the disk will be readable so I don't cover the second requirement.
Beyond that I think that the proposed solution is more complicated to implement at least for me. To have the bootloader in a usb means I have to do a custom install. If I just encrypt the disk its just a normal install just ticking options during installation process. Aso if I have the disk encrypted and the key just copied to a USB stick if the key for some reason is lost I can send in another secure way just the key file and the end user can copy it to USB that he/she can buy or find anywhere and use it(that is just an example). When I saw the article I sent I thought that a similar process would not be so much more difficult in FreeBSD than in Linux. It seems it's not.
-
@ovidius said in usb key for encrypted zfs hdd:
where did you see that he used a secured USB key.
By showing this he implies it as an option.
@ovidius said in usb key for encrypted zfs hdd:
Also about reporting back I might or I might not. After all my scenario does not have a valid use case and is not making sense.
That's just how forum works and it not intended to discourage but more to dare you to do it...please do!
-
@nollipfsense said in usb key for encrypted zfs hdd:
That's just how forum works
Exactly -- I see no possible reason why anyone would do such a thing. I see no valid use case for it, I have no desire to help anyone go down such a path to be honest.
But you have fun, and for sure report back on it - I like a Rube Goldberg solution to stuff.. How can I complicate this beyond comprehension for what could be done with a click.. And take someone literately 5 seconds to accomplish.. But hey lets turn it into a thing that could take my network down because the power went out and nobody there that knows the password to the router, or the usb with the key on is locked it bobs office and he is on vacation in aruba..
-
Mmm, I agree this problem is usually solved using, for example, certs at the server end.
What you're proposing doesn't seem that unreasonable if the solution must be something at the client end. However I'm not sure anything like that exists in FreeBSD.
I wonder if something similar exists for a BIOS level disk decryption? I expect it probably does.Is it only the VPN connection that must be disabled? For example if you had the required certs stored on a USB drive such that the firewall would boot but could never connect to the VPN without the key, would that suffice?
Steve
-
@stephenw10 seems like a solution to a problem that doesn't exist.
Why would you try and block access at site B to site A, when you can just do it at site A.. My phone analogy of stopping someone from calling you.
I have a company network and I don't want a remote site to be able to login - ie they all got fired or something. Why would the solution be reboot and the device at that site and prevent it from booting?
Clearly there most be something lost in translation or something - that solution makes no sense to me..
If I don't want site B to vpn in, or I don't want user Z to login - then site A I just don't let them login.. Change their login, disable their cert, block their IP.. There are multiple ways to accomplish it at site A all of which literally take a few seconds to do..
I could see encrypting the drive if your worried about billy taking the box home and getting info he shouldn't have or something.. But to prevent vpn access.. Why would you do it it the remote site, when it can just be done at the home location, ie HQ or the DC location for the company, etc.. Then again if the box was stolen or taken home by someone - just change the info that was on the box, passwords, certs, etc. so they are no longer valid.. I having a hard time for encryption of a firewall hdd in any scenario - there is just nothing on there that warrants the complexity that comes with that, when all that is for is protection of data at rest.. I could see that on you device that could get lost, say a laptop.. That might get left on a train or bus or something and fall into the wrong hands..
For that matter - how the company having access to the remote site, which should be a given in any vpn setup - and the IT at the company just turning it off remotely on the remote site..
This for sure seems like a XY problem to me - someone came up with a solution, and is just unwilling to think it through that hey that is not a good solution to the problem trying to solve. Just tell me how to do it what I asked.
https://xyproblem.info/
The XY problem is asking about your attempted solution rather than your actual problem. This leads to enormous amounts of wasted time and energy, both on the part of people asking for help, and on the part of those providing help. User wants to do X. User doesn't know how to do X, but thinks they can fumble their way to a solution if they can just manage to do Y. User doesn't know how to do Y either. User asks for help with Y. Others try to help user with Y, but are confused because Y seems like a strange problem to want to solve. After much interaction and wasted time, it finally becomes clear that the user really wants help with X, and that Y wasn't even a suitable solution for X. The problem occurs when people get stuck on what they believe is the solution and are unable step back and explain the issue in full.A better question might of been - how do I prevent site B from vpn to site A on moments notice..
-
You still don't or don't want to understand the requirement. I have a company and I want a remote site to be always able to connect to the HQ site unless the remote site and the personnel at the remote site decide that they must stop the connection. If there is such case where the remote site stops the connection for any given reason (probably a physical security one) the personal at site B MUST have the capability to totally make the pfsense box unusable. So the requirement is not for the HQ (site A) to cut the connection (that as pointed so many times is very easy) but to give the site B personel the option to cut the connection securely according the situation and their needs and judgment. So no its not an XY problem. You just perceive it as one. There were a series of requirements given and according those requirements a solution must be found.
So boss set requirements Technician tries to find solution Technician forms a theory on how to resolve requirements Technician needs help on how to make theory practice Technician asks for help in forumSo instead of trying to make the problem fit your solution find a solution for the given problem.
-
@stephenw10 no its not only the VPN connection that has to be disabled but the whole client box. That's why I went with the disk encryption. Even if someone manages to break GELI encryption it will take some time, enough time to make any data he gets (if he gets anything at all) from the disk about my HQ network obsolete as I would have blocked the connection. While searching for a solution I found this which suggests that what I want to do can be done
https://www.truenas.com/community/threads/zfs-encryption-usb-auto-unlock-and-mount-with-pass-phrase-as-i-do-with-gli.96517/.I am trying to implement it but if you read it and have a better idea I am always open to suggestion for a simpler solution
-
@johnpoz I see that you can't comprehend the problem posed so I will give you an example. Let's say that site B are journalists working in a dangerous not very friendly environment and they have to be able to communicate back. They always have to have the capability to talk back. But if they see that it's getting dangerous they need to be able to cut the connection and not give any clues about where they were talking to. So the first step is to encrypt the disks on their laptops and the second step is to encrypt the disk on the machines they use to make the connection. Is that thing clear enough why the remote site B must be the one to cut the connection? Can you understand now that it's not about cutting the connection with site B because of lack of trust with site B but site B cutting the connection in order to help themshelves
-
@ovidius That is completely didn't scenario then what you presented. So its the site B that needs to prevent access that they were talking to site A. Not the company needing to block access.
So we are back to xy problem - you should of presented your problem like that from the get go.
In that scenario than sure encryption of the data at rest on the firewall makes sense. Booting from usb seems like a possible solution to that problem then.. You hide or destroy the usb and all the data is gone.. Doesn't really have to be encrypted if you can make sure it can be destroyed on a moments notice then.
Sounds like buskill would be something of interest, but not aware of it working with freebsd..
-
@johnpoz the problem was presented just like that in the post with the requirements. I quote from my previous post:
@ovidius said in usb key for encrypted zfs hdd:Remote users have to have site to site connection with HQ at any time they need.
Remote users have the authority to sever the connection with HQ and not the HQ with few exceptions that are not important now.
The machines that are used for the site to site connection have to be totally unusable if stolen or lost.
No user has access directly, by ssh or with webconfigurator the pfsense box they carry with them for the connection. They don't have any credentials to so. They just plug it to the power, connect wan to internet and a laptop or a switch to lan. That's it. Nothing else. All other jobs are done with the laptop/s of the user/s
The cost must be kept as low as possibleI think that the requirement is pretty clear and were made clear a few posts back. It's not my fault if you didn't read them or didn't understand them. I believe the second and third requirements can't be clearer.
So we go back it's not an XY problem at least on my side.
Also my question was was clear from the beginning. Can I do the thing I am asking for and if I can how can I do it. But your problem was not the real question but the question you asked on why I want to do it which was totally irrelevant -
@ovidius said in usb key for encrypted zfs hdd:
question you asked on why I want to do it which was totally irrelevant
No the WHY is never irrelevant exactly because the info I presented about xy..
@ovidius said in usb key for encrypted zfs hdd:
So my boss being paranoid asked if the pfsense machines we are using to make that connection can be disabled right away
That scenario has zero do with encryption of hdd and not being able to boot them - disable the connection right away would be done at site A not B..
I understand what your after now and why - I don't have a solution for you, something like the mentioned buskill seems like it would be exactly what your after, but I am not aware of a solution like that for freebsd..
Might be better if you have these people vpn directly from their linux or windows laptop and use something like buskill on the laptop with the destroy option.
-
@johnpoz you are not precise even when directly quoting. My boss asked the machines to be disabled not the connection. Please if you read something read it carefully. It helps avoiding many misunderstandings. Also. The why is totally irrelevant. Why do you need to know why I want to do something. I am asking a very simple question. Can I have USB key in place of a passphrase in an encrypted ZFS disk? The answer is either yes or no. If the answer is yes then the follow up question is how to do it. If the answer is no everything stops. Nothing else. So the why is totally irrelevant.
-
@ovidius If I were you, I would contact the person in that link at Github to see whether he can help you. It is doable, and you may need to uninstall pfSense and use Gpartition to format into the two partitions to proceed as the instruction directed. I have found developers at Github to be very helpful and happy to assist especially on solutions they made public on Github.
Because this forum is a firewall one, please understand that John is giving a "firewall solution."
-
@nollipfsense I am trying to implement it and looking what can I do. As for John the problem is not the firewall answer but the condescending tone and the lack of attention in details. Anyway. If I get a result I will try to report
-
The example on TrueNAS is auto-decrypting the data drives but not the boot drive as see it. So it's probably not directly applicable here.
To do the same with an encrypted boot drive it pretty much has to be in the bootloader I would think.Maybe moving the config file onto USB would suffice? pfSense would still boot but would be useless without the config. Many years ago m0n0wall had that option. It would require some work in current pfSense.
Steve
