Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Drive Encryption

    Scheduled Pinned Locked Moved General pfSense Questions
    18 Posts 6 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • GilG
      Gil Rebel Alliance
      last edited by

      Running remote clients that don't always have great physical security.
      This leaves them vulnerable to attack, particularly if removable media is used (eg: SD cards)

      Is it possible to have an encrypted drive to prevent someone from removing the SD card and reading it directly?

      11 cheers for binary

      1 Reply Last reply Reply Quote 0
      • JKnottJ
        JKnott
        last edited by

        Yes, but the exact method depends on the operating system.

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          you also have problem with such systems being able to start on their own without human intervention..

          You also run into the problem that if physical access is there while live and drive is decrypted ;)

          What exactly is stored on the firewall drive that could not just be circumvented with such physical access?

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • GilG
            Gil Rebel Alliance
            last edited by

            @johnpoz:

            you also have problem with such systems being able to start on their own without human intervention..

            You also run into the problem that if physical access is there while live and drive is decrypted ;)

            What exactly is stored on the firewall drive that could not just be circumvented with such physical access?

            It seems to me that the simplest form of attack is by powering down the router, removing the drive and imaging it.
            Therefore; this it poses the greatest vulnerability to a physically non-secured client router.
            I understand that encrypting a drive requires a password to be entered (or stored??) to power up.
            Neither solutions are desirable, and I don't propose to know the solution - (when physical security cannot be fully controlled).
            I thought I would ask anyway.

            I imagine that performing a live attack would be more difficult.

            Client routers may run OpenVPN connections to the server, thus certs and passwords become vulnerable.

            The SG-1000 routers can run on internal memory, which is a little more secure - but I imagine the memory can be read anyway.

            11 cheers for binary

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by

              What appliances from netgate run on sdcards or drives that are removable?

              Those things can be added for storage on some models.. But are they not all internal storage?  So really nothing to remove..

              "stored??) to power up"
              You just defeated the whole point of encryption if the password is stored and not encrypted..

              "I imagine that performing a live attack would be more difficult."

              Why?

              The whole point of the disk encryption goes out the window with evil maid attack anyway..  Since I have physical access..  You have to put the password in to boot the thing… I just use evil maid on you.. etc..

              Does any of the major players in firewalls provide for encryption?  Say Cisco, Palo Alto, Juniper, Fortinet?  How do they implement it..  Here is the thing once physical security has been loss..  So while your encryption would protect you again theft of said device.. Since your cold storage is encrypted.  But if what I am after is your certs - then just evil maid you.. OR maybe even just put a camera in the area or keyboard to log the keystrokes, etc. Go turn the firewall off and then back on and just wait for you to put in the password.

              You are prob better off securing the appliance in some sort of enclosure if you can not secure it in a IDF room or something.  Quite often they can be placed up on the walls to make access even more difficult.  This is how normally switches are secured in a production facility for example where its difficult for some runs and need a switch at some location vs just the drop of the wire and switch in secure closet somewhere.

              If your worried about the user certs do not store them on the appliance after they have been created.  Same goes for the CA.. You can store the private key of the CA off.. It only is needed to create new certs from that CA..  So that sort of stuff can be removed if your worried about someone getting that off the firewall.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                To me the biggest reason for whole-disk encryption (other than portable, thievable, misplaceable devices like laptops, tablets, and phones) is so you can dispose of the drives without having to wipe them first. That's why I use ZFS encryption on my NAS.

                WDE on the firewall seems like a solution in search of a problem.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  "WDE on the firewall seems like a solution in search of a problem."

                  Well said… And agree..

                  I am curious if any major players support it though.. Have never looked into it.. Since have never had to worry about physical security of such devices.  They are either locked in an IDF/MDF of some remote location or in a DC with normally over the top physical biometric access only, etc. Then even in that DC in a locked rack, and sometimes cage with different locks, etc.

                  The firewall is normally never like just sitting on someones desk in a open cube ;)

                  So now that that your concerns of certs is removed from this non physical secure firewall - what else is on the device that your concerned with that you would desire WDE and all he pains that come with that?

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • JKnottJ
                    JKnott
                    last edited by

                    The firewall is normally never like just sitting on someones desk in a open cube ;)

                    That's where it was in an office I used to work in.  However, there wasn't much option.  The office was a single room in a building where offices and even just mail boxes were rented out to small companies.  Unlike most of the other tenants, we had our own Internet access, connected to an Adtran router/switch.  There were only 2 people working there, me and the sales guy.

                    PfSense running on Qotom mini PC
                    i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                    UniFi AC-Lite access point

                    I haven't lost my mind. It's around here...somewhere...

                    1 Reply Last reply Reply Quote 0
                    • SammyWooS
                      SammyWoo
                      last edited by

                      @Gil:

                      Is it possible to have an encrypted drive to prevent someone from removing the SD card and reading it directly?

                      Well, me Mr. Obvious says if security is a concern, PHYSICAL SECURITY, FW box is in a controlled access location, to begin with.

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator
                        last edited by

                        Rule #1 of security:

                        If you don't have physical security you don't have shit ;)

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 0
                        • GilG
                          Gil Rebel Alliance
                          last edited by

                          @johnpoz:

                          If your worried about the user certs do not store them on the appliance after they have been created.  Same goes for the CA.. You can store the private key of the CA off.. It only is needed to create new certs from that CA..  So that sort of stuff can be removed if your worried about someone getting that off the firewall.

                          I cannot remove all sensitive data.
                          A router setup with an OpenVPN client will require a combination of:
                          CA.cert, a VPN.cert and VPN.key, plus (possibly) a tls-auth.key, user name and password.
                          Certainly no need to store the CA.key. - I keep a separate system for key generation anyway
                          Revoking certificates is an answer to a compromised router, - once you have identified the compromise.

                          I don't disagree with the comments made, but can you always guarantee that all of your client devices are physically secured?
                          Inherent to my situation; I cannot.

                          Just looking for possibilities that may exist past my current knowledge.

                          11 cheers for binary

                          1 Reply Last reply Reply Quote 0
                          • johnpozJ
                            johnpoz LAYER 8 Global Moderator
                            last edited by

                            In what scenario would you be worried about a router that connects to a vpn services user cert to the vpn?  The users at that location would have access to the vpn already..

                            Please describe the scenario of your compromise… What exactly is a person that has physical access to your router going to steal or get access to that your trying to prevent.. That they already do not have access to anyway from just being in the location and on your local network.

                            Be happy to walk thru any scenario you can describe that is actually something that anyone should be worried about..

                            Yes your firewall in some location should always be secured.. If you do not have physical security you do not have shit... Where WDE comes into play is a scenario where you loose your device..  Ie your work laptop that you leave in your car - and someone throws a brick through your window and takes the thing.  To decrypt the disk they would need your smart card - which you have in you wallet.  And or at min your password to boot the machine, etc.

                            whole disk encryption only protects against loss of the device.  When would a router be lost?  If its in a building under your control... If someone does break into the building and steal it - what is on there that could not just be revoked?

                            You need to walk through a scenario - if you want to walk through the steps to mitigate that scenario..

                            Just asking for WDE seems pointless for something like a firewall.  Even if the router is sitting in a open cube in your office.  What is on the device that someone in the office would want?  That you would be worried about them getting access too?

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                            1 Reply Last reply Reply Quote 0
                            • DerelictD
                              Derelict LAYER 8 Netgate
                              last edited by

                              It's not a feature that will likely be added anyway.

                              Chattanooga, Tennessee, USA
                              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                              Do Not Chat For Help! NO_WAN_EGRESS(TM)

                              1 Reply Last reply Reply Quote 0
                              • GilG
                                Gil Rebel Alliance
                                last edited by

                                Not all VPNs are for human users, most of my remote clients are network devices - Remote over WAN, multiple locations.

                                The equipment boxes can be locked, but physical security cannot be guaranteed.

                                I set Alarms for security alerts whenever I can.

                                I appreciate this is somewhat specific to this scenario, but I'm sure I'm not the only user who faces this problem.

                                11 cheers for binary

                                1 Reply Last reply Reply Quote 0
                                • johnpozJ
                                  johnpoz LAYER 8 Global Moderator
                                  last edited by

                                  Well use a different firewall solution that provides it.. Like I said none of them do that I know of..  But you want the one you get for FREE too ;)

                                  I would suggest you get a PC to run it on, and use WDE/FDE in the bios.. Or run it on some SED, there are some SSDs out there for sure.. Now you just need someone to put in the password every time you reboot the thing…

                                  Which better make sure these people do not learn that want these top secret vpn user certs. And or that they do not evil maid you since the device is not secure..

                                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                                  If you get confused: Listen to the Music Play
                                  Please don't Chat/PM me for help, unless mod related
                                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                                  1 Reply Last reply Reply Quote 0
                                  • GilG
                                    Gil Rebel Alliance
                                    last edited by

                                    Okay, thanks for your time. Particularly johnpoz.
                                    Like Derelict says - it ain't gonna happen.
                                    I totally get why, - no harm in asking though.

                                    11 cheers for binary

                                    1 Reply Last reply Reply Quote 0
                                    • H
                                      Harvy66
                                      last edited by

                                      I read a blog on the topic of WDE for remote devices where physical security could not be trusted. It was full of all kinds of holes. There is no solution and the closest you can get to a solution is more of security through obscurity. It comes down to the fundamental issue that a secret must be provided. If the secret is local, then anyone with physical access can get the secret. If the secret is remote, then you need a way for the device to remote back to get the secret, but in order to do that, it must have the ability to boot and connect back. An attacker could just clone this part, run it in a VM and eavesdrop. Now they got the secret. The only benefit you give is you can control when the secret gets sent instead of having it accessible at any time by storing it locally.

                                      In short, it can't be done without proprietary hardware. The only way to make this happen is to have a way to store the secret locally in a physically safe way and where the device knows it's in a trusted state. You can keep whittling down which parts must be secure, but in the end you MUST have some amount of physical security.

                                      1 Reply Last reply Reply Quote 0
                                      • johnpozJ
                                        johnpoz LAYER 8 Global Moderator
                                        last edited by

                                        ^ great points Harvy66

                                        So yeah it all boils down to if you ain't got physical security you ain't got shit ;) hehehehe

                                        Even a small ma an pop shop should have some sort of closet it could be locked up in.  Even in the example where it sat in a cube.. You still have physical security to the point only people that work in the office would have access.. And ok the cleaning crew, and the building security and management ;)

                                        But not like its sitting on a table in starbucks ;)

                                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                                        If you get confused: Listen to the Music Play
                                        Please don't Chat/PM me for help, unless mod related
                                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                                        1 Reply Last reply Reply Quote 0
                                        • First post
                                          Last post
                                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.