Drive Encryption
- 
 To me the biggest reason for whole-disk encryption (other than portable, thievable, misplaceable devices like laptops, tablets, and phones) is so you can dispose of the drives without having to wipe them first. That's why I use ZFS encryption on my NAS. WDE on the firewall seems like a solution in search of a problem. 
- 
 "WDE on the firewall seems like a solution in search of a problem." Well said… And agree.. I am curious if any major players support it though.. Have never looked into it.. Since have never had to worry about physical security of such devices. They are either locked in an IDF/MDF of some remote location or in a DC with normally over the top physical biometric access only, etc. Then even in that DC in a locked rack, and sometimes cage with different locks, etc. The firewall is normally never like just sitting on someones desk in a open cube ;) So now that that your concerns of certs is removed from this non physical secure firewall - what else is on the device that your concerned with that you would desire WDE and all he pains that come with that? 
- 
 The firewall is normally never like just sitting on someones desk in a open cube ;) That's where it was in an office I used to work in. However, there wasn't much option. The office was a single room in a building where offices and even just mail boxes were rented out to small companies. Unlike most of the other tenants, we had our own Internet access, connected to an Adtran router/switch. There were only 2 people working there, me and the sales guy. 
- 
 @Gil: Is it possible to have an encrypted drive to prevent someone from removing the SD card and reading it directly? Well, me Mr. Obvious says if security is a concern, PHYSICAL SECURITY, FW box is in a controlled access location, to begin with. 
- 
 Rule #1 of security: If you don't have physical security you don't have shit ;) 
- 
 If your worried about the user certs do not store them on the appliance after they have been created. Same goes for the CA.. You can store the private key of the CA off.. It only is needed to create new certs from that CA.. So that sort of stuff can be removed if your worried about someone getting that off the firewall. I cannot remove all sensitive data. 
 A router setup with an OpenVPN client will require a combination of:
 CA.cert, a VPN.cert and VPN.key, plus (possibly) a tls-auth.key, user name and password.
 Certainly no need to store the CA.key. - I keep a separate system for key generation anyway
 Revoking certificates is an answer to a compromised router, - once you have identified the compromise.I don't disagree with the comments made, but can you always guarantee that all of your client devices are physically secured? 
 Inherent to my situation; I cannot.Just looking for possibilities that may exist past my current knowledge. 
- 
 In what scenario would you be worried about a router that connects to a vpn services user cert to the vpn? The users at that location would have access to the vpn already.. Please describe the scenario of your compromise… What exactly is a person that has physical access to your router going to steal or get access to that your trying to prevent.. That they already do not have access to anyway from just being in the location and on your local network. Be happy to walk thru any scenario you can describe that is actually something that anyone should be worried about.. Yes your firewall in some location should always be secured.. If you do not have physical security you do not have shit... Where WDE comes into play is a scenario where you loose your device.. Ie your work laptop that you leave in your car - and someone throws a brick through your window and takes the thing. To decrypt the disk they would need your smart card - which you have in you wallet. And or at min your password to boot the machine, etc. whole disk encryption only protects against loss of the device. When would a router be lost? If its in a building under your control... If someone does break into the building and steal it - what is on there that could not just be revoked? You need to walk through a scenario - if you want to walk through the steps to mitigate that scenario.. Just asking for WDE seems pointless for something like a firewall. Even if the router is sitting in a open cube in your office. What is on the device that someone in the office would want? That you would be worried about them getting access too? 
- 
 It's not a feature that will likely be added anyway. 
- 
 Not all VPNs are for human users, most of my remote clients are network devices - Remote over WAN, multiple locations. The equipment boxes can be locked, but physical security cannot be guaranteed. I set Alarms for security alerts whenever I can. I appreciate this is somewhat specific to this scenario, but I'm sure I'm not the only user who faces this problem. 
- 
 Well use a different firewall solution that provides it.. Like I said none of them do that I know of.. But you want the one you get for FREE too ;) I would suggest you get a PC to run it on, and use WDE/FDE in the bios.. Or run it on some SED, there are some SSDs out there for sure.. Now you just need someone to put in the password every time you reboot the thing… Which better make sure these people do not learn that want these top secret vpn user certs. And or that they do not evil maid you since the device is not secure.. 
- 
 Okay, thanks for your time. Particularly johnpoz. 
 Like Derelict says - it ain't gonna happen.
 I totally get why, - no harm in asking though.
- 
 I read a blog on the topic of WDE for remote devices where physical security could not be trusted. It was full of all kinds of holes. There is no solution and the closest you can get to a solution is more of security through obscurity. It comes down to the fundamental issue that a secret must be provided. If the secret is local, then anyone with physical access can get the secret. If the secret is remote, then you need a way for the device to remote back to get the secret, but in order to do that, it must have the ability to boot and connect back. An attacker could just clone this part, run it in a VM and eavesdrop. Now they got the secret. The only benefit you give is you can control when the secret gets sent instead of having it accessible at any time by storing it locally. In short, it can't be done without proprietary hardware. The only way to make this happen is to have a way to store the secret locally in a physically safe way and where the device knows it's in a trusted state. You can keep whittling down which parts must be secure, but in the end you MUST have some amount of physical security. 
- 
 ^ great points Harvy66 So yeah it all boils down to if you ain't got physical security you ain't got shit ;) hehehehe Even a small ma an pop shop should have some sort of closet it could be locked up in. Even in the example where it sat in a cube.. You still have physical security to the point only people that work in the office would have access.. And ok the cleaning crew, and the building security and management ;) But not like its sitting on a table in starbucks ;) 




