usb key for encrypted zfs hdd

johnpoz

@stephenw10 seems like a solution to a problem that doesn't exist.

Why would you try and block access at site B to site A, when you can just do it at site A.. My phone analogy of stopping someone from calling you.

I have a company network and I don't want a remote site to be able to login - ie they all got fired or something. Why would the solution be reboot and the device at that site and prevent it from booting?

Clearly there most be something lost in translation or something - that solution makes no sense to me..

If I don't want site B to vpn in, or I don't want user Z to login - then site A I just don't let them login.. Change their login, disable their cert, block their IP.. There are multiple ways to accomplish it at site A all of which literally take a few seconds to do..

I could see encrypting the drive if your worried about billy taking the box home and getting info he shouldn't have or something.. But to prevent vpn access.. Why would you do it it the remote site, when it can just be done at the home location, ie HQ or the DC location for the company, etc.. Then again if the box was stolen or taken home by someone - just change the info that was on the box, passwords, certs, etc. so they are no longer valid.. I having a hard time for encryption of a firewall hdd in any scenario - there is just nothing on there that warrants the complexity that comes with that, when all that is for is protection of data at rest.. I could see that on you device that could get lost, say a laptop.. That might get left on a train or bus or something and fall into the wrong hands..

For that matter - how the company having access to the remote site, which should be a given in any vpn setup - and the IT at the company just turning it off remotely on the remote site..

This for sure seems like a XY problem to me - someone came up with a solution, and is just unwilling to think it through that hey that is not a good solution to the problem trying to solve. Just tell me how to do it what I asked.

https://xyproblem.info/

The XY problem is asking about your attempted solution rather than your actual problem. This leads to enormous amounts of wasted time and energy, both on the part of people asking for help, and on the part of those providing help.

    User wants to do X.
    User doesn't know how to do X, but thinks they can fumble their way to a solution if they can just manage to do Y.
    User doesn't know how to do Y either.
    User asks for help with Y.
    Others try to help user with Y, but are confused because Y seems like a strange problem to want to solve.
    After much interaction and wasted time, it finally becomes clear that the user really wants help with X, and that Y wasn't even a suitable solution for X.

The problem occurs when people get stuck on what they believe is the solution and are unable step back and explain the issue in full.

A better question might of been - how do I prevent site B from vpn to site A on moments notice..

ovidius

You still don't or don't want to understand the requirement. I have a company and I want a remote site to be always able to connect to the HQ site unless the remote site and the personnel at the remote site decide that they must stop the connection. If there is such case where the remote site stops the connection for any given reason (probably a physical security one) the personal at site B MUST have the capability to totally make the pfsense box unusable. So the requirement is not for the HQ (site A) to cut the connection (that as pointed so many times is very easy) but to give the site B personel the option to cut the connection securely according the situation and their needs and judgment. So no its not an XY problem. You just perceive it as one. There were a series of requirements given and according those requirements a solution must be found. So boss set requirements Technician tries to find solution Technician forms a theory on how to resolve requirements Technician needs help on how to make theory practice Technician asks for help in forum

So instead of trying to make the problem fit your solution find a solution for the given problem.

ovidius

@stephenw10 no its not only the VPN connection that has to be disabled but the whole client box. That's why I went with the disk encryption. Even if someone manages to break GELI encryption it will take some time, enough time to make any data he gets (if he gets anything at all) from the disk about my HQ network obsolete as I would have blocked the connection. While searching for a solution I found this which suggests that what I want to do can be done
https://www.truenas.com/community/threads/zfs-encryption-usb-auto-unlock-and-mount-with-pass-phrase-as-i-do-with-gli.96517/.

I am trying to implement it but if you read it and have a better idea I am always open to suggestion for a simpler solution

ovidius

@johnpoz I see that you can't comprehend the problem posed so I will give you an example. Let's say that site B are journalists working in a dangerous not very friendly environment and they have to be able to communicate back. They always have to have the capability to talk back. But if they see that it's getting dangerous they need to be able to cut the connection and not give any clues about where they were talking to. So the first step is to encrypt the disks on their laptops and the second step is to encrypt the disk on the machines they use to make the connection. Is that thing clear enough why the remote site B must be the one to cut the connection? Can you understand now that it's not about cutting the connection with site B because of lack of trust with site B but site B cutting the connection in order to help themshelves

johnpoz

@ovidius That is completely didn't scenario then what you presented. So its the site B that needs to prevent access that they were talking to site A. Not the company needing to block access.

So we are back to xy problem - you should of presented your problem like that from the get go.

In that scenario than sure encryption of the data at rest on the firewall makes sense. Booting from usb seems like a possible solution to that problem then.. You hide or destroy the usb and all the data is gone.. Doesn't really have to be encrypted if you can make sure it can be destroyed on a moments notice then.

Sounds like buskill would be something of interest, but not aware of it working with freebsd..

ovidius

@johnpoz the problem was presented just like that in the post with the requirements. I quote from my previous post:
@ovidius said in usb key for encrypted zfs hdd:

Remote users have to have site to site connection with HQ at any time they need.
Remote users have the authority to sever the connection with HQ and not the HQ with few exceptions that are not important now.
The machines that are used for the site to site connection have to be totally unusable if stolen or lost.
No user has access directly, by ssh or with webconfigurator the pfsense box they carry with them for the connection. They don't have any credentials to so. They just plug it to the power, connect wan to internet and a laptop or a switch to lan. That's it. Nothing else. All other jobs are done with the laptop/s of the user/s
The cost must be kept as low as possible

I think that the requirement is pretty clear and were made clear a few posts back. It's not my fault if you didn't read them or didn't understand them. I believe the second and third requirements can't be clearer.

So we go back it's not an XY problem at least on my side.
Also my question was was clear from the beginning. Can I do the thing I am asking for and if I can how can I do it. But your problem was not the real question but the question you asked on why I want to do it which was totally irrelevant

johnpoz

@ovidius said in usb key for encrypted zfs hdd:

question you asked on why I want to do it which was totally irrelevant

No the WHY is never irrelevant exactly because the info I presented about xy..

@ovidius said in usb key for encrypted zfs hdd:

So my boss being paranoid asked if the pfsense machines we are using to make that connection can be disabled right away

That scenario has zero do with encryption of hdd and not being able to boot them - disable the connection right away would be done at site A not B..

I understand what your after now and why - I don't have a solution for you, something like the mentioned buskill seems like it would be exactly what your after, but I am not aware of a solution like that for freebsd..

Might be better if you have these people vpn directly from their linux or windows laptop and use something like buskill on the laptop with the destroy option.

ovidius

@johnpoz you are not precise even when directly quoting. My boss asked the machines to be disabled not the connection. Please if you read something read it carefully. It helps avoiding many misunderstandings. Also. The why is totally irrelevant. Why do you need to know why I want to do something. I am asking a very simple question. Can I have USB key in place of a passphrase in an encrypted ZFS disk? The answer is either yes or no. If the answer is yes then the follow up question is how to do it. If the answer is no everything stops. Nothing else. So the why is totally irrelevant.

NollipfSense

@ovidius If I were you, I would contact the person in that link at Github to see whether he can help you. It is doable, and you may need to uninstall pfSense and use Gpartition to format into the two partitions to proceed as the instruction directed. I have found developers at Github to be very helpful and happy to assist especially on solutions they made public on Github.

Because this forum is a firewall one, please understand that John is giving a "firewall solution."

ovidius

@nollipfsense I am trying to implement it and looking what can I do. As for John the problem is not the firewall answer but the condescending tone and the lack of attention in details. Anyway. If I get a result I will try to report

stephenw10

The example on TrueNAS is auto-decrypting the data drives but not the boot drive as see it. So it's probably not directly applicable here.
To do the same with an encrypted boot drive it pretty much has to be in the bootloader I would think.

Maybe moving the config file onto USB would suffice? pfSense would still boot but would be useless without the config. Many years ago m0n0wall had that option. It would require some work in current pfSense.

Steve