Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Installation with Whole Disk Encryption

    Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
    30 Posts 14 Posters 8.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      harika1258 @jimp
      last edited by harika1258

      @jimp
      Hi..., How can I remove passphrase when os is booting?
      I tried this command but , nothing happened :
      geli configure -B prov
      ;-)

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        @finger79 said in Installation with Whole Disk Encryption:

        pfSense becomes more of a jack-of-all-trades single device

        Huh? Where is that in the roadmap.. It not a everything box - its a firewall. If the user goes about having it serve up websites and freaking serve up files.. That is not the design goal..

        If you want a box to do everything - install some hosting VM software on the hardware... Use your FDE here, and run pfsense as a VM...

        "How can I remove passphrase when os is booting"

        Wouldn't that just defeat the whole freaking purpose of FDE...

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        H 1 Reply Last reply Reply Quote 0
        • H
          harika1258 @johnpoz
          last edited by harika1258

          @johnpoz
          Thank you so much, But i don't agree with you, because If we use a VM for firewall , performance and maintaining will be low. hence, I'd rather whole disk Encryption without using passphrase! but How can I implement it?
          PS : I used geom_eli_passphrase_prompt="NO" in /boot/loader.conf and geli configure -B prov but nothing happened.

          NogBadTheBadN 1 Reply Last reply Reply Quote 0
          • NogBadTheBadN
            NogBadTheBad @harika1258
            last edited by NogBadTheBad

            This post is deleted!
            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by johnpoz

              @harika1258 said in Installation with Whole Disk Encryption:

              VM for firewall , performance and maintaining will be low

              Nonsense, not if sized correctly.. And encryption without a passphrase is NOT encrypted now is it... It would be utterly pointless..

              There are thousands and thousands of people running pfsense on VM.. All different flavors, esxi, zen, hyper-v, etc. etc. I ran it on VM for years. But my OLD n40l microserver could not handle the 500/50 internet speed so had a choice update to box that could do it with pfsense as vm. Or go with hardware - I went with the sg4860.. Which I do believe can run esxi on... Maybe at aomepoint will try that.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              H 1 Reply Last reply Reply Quote 0
              • H
                harika1258 @johnpoz
                last edited by

                @johnpoz
                OK, all -right . I don't use any VM solutions. ;-)
                do you have another solution? I mean , I want to encrypt partitions with ZFS without entering passphrase every time when os is booting ;-)

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  @harika1258 said in Installation with Whole Disk Encryption:

                  I want to encrypt partitions with ZFS without entering passphrase every time when os is booting

                  Then there is ZERO point to the encryption in the first place... What is it protecting??? The whole problem of FDE on something like a router is that it needs intervention for boot..

                  If there is no passphrase, then when it boots the encryption is just unlocked. Like a zipfile without a password on it - anyone can open it. You put a password on the zip file and you have to know the password to unlock it.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  H 1 Reply Last reply Reply Quote 0
                  • H
                    harika1258 @johnpoz
                    last edited by harika1258

                    @johnpoz
                    if someone has physical access to appliance who can move the appliance 's hard drive to another system (computer with Windows os) to view and does everything.
                    I want to protect it in this case.
                    although I want, when pfsense is booting, we don't need any passphrase.
                    just want to protect files in attaching to machine who running windows OS ;-)

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      @harika1258 said in Installation with Whole Disk Encryption:

                      just want to protect files in attaching to machine who running windows OS

                      So your wanting to protect it from idiot users? Why would I move the HDD to another system when I would just get the info off the thing while I have physical access to it??

                      I really think you need to do some research on what FDE actually protects you from..

                      So your scenario your wanting to protect against.. Windows not going to read a zfs anyway ;) Be it encrypted or not. And what appliance are you using exactly... Mine doesn't even have a HDD they could take out...

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      H 2 Replies Last reply Reply Quote 0
                      • H
                        harika1258 @johnpoz
                        last edited by

                        This post is deleted!
                        1 Reply Last reply Reply Quote 0
                        • H
                          harika1258 @johnpoz
                          last edited by harika1258

                          @johnpoz 0_1529990347180_Untitled.png
                          As you know, in windows OS, by UFS Explorer you can see partition that is set up with ZFS.
                          I use Nexcom Appliance ....

                          1 Reply Last reply Reply Quote 0
                          • GertjanG
                            Gertjan
                            last edited by

                            Your adding normally non-existing issues : a system that runs virtual appliances shouldn't be made accessible by ordinary users, except for the services they offer remotely.
                            Only an 'admin' should access such a systems directly.

                            No "help me" PM's please. Use the forum, the community will thank you.
                            Edit : and where are the logs ??

                            1 Reply Last reply Reply Quote 0
                            • L
                              launchpadmcquak
                              last edited by launchpadmcquak

                              I'm not quite sure I understand arguing against FDE with the justification "it's just a firewall" when this simple firewall has a robust package management system which features an impressive catalog of packages.

                              I personally use pfSense as a firewall, a dynamic DNS client to NoIP (which requires credentials), and a tinc (keys!) server to tie other pfSense boxes together. I see people leveraging pfSense for much heavier workloads so I definitely see the argument for FDE.

                              I also see that FDE is a PITA because, at boot, you have to either be physically present to enter credentials, share said credentials with somebody who's present, or expose IPMI (if you have it) to gain virtual KVM access to it.

                              Would it be possible to see something like dracut-crypt-ssh make its way into the feature list? I use it on everything as a backup for when tang/clevis isn't working in a predominantly CentOS-based environment. It would be quite handy to have pfSense have a similar functionality whereby it boots dropbear on a specific port, protected with a preconfigured keypair, that goes away once pfSense is fully booted. Just my $.02.

                              1 Reply Last reply Reply Quote 0
                              • KOMK
                                KOM
                                last edited by

                                FDE is a PITA that is only useful if you're in an environment where there is a significant risk that someone will steal your disk so they can mount it elsewhere and look for prizes. Most people are not in that environment, and even if they were, there is usually nothing on the firewall that would be of any use to an attacker. Your mileage may vary, of course. Nobody else should have physical access to the box except you or other IT admins. Certainly not users.

                                1 Reply Last reply Reply Quote 0
                                • E
                                  Epimpin @johnpoz
                                  last edited by

                                  This post is deleted!
                                  1 Reply Last reply Reply Quote 0
                                  • V
                                    vkeel87
                                    last edited by vkeel87

                                    sorry to revive old post but I would like to reply for a specific use case no one brought up. As a journalist I need a higher level of security when accessing specific content. I use pfSense as a VPN gateway configure with FDE and zero-logging. It's a lot easier than having to setup vpn after every reboot on my boot-only USB OS.

                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.