Is GELI FDE option not part of the Netgate Installer 1.0RC?

Finger79

I did a baremetal install of 2.8.0 a couple days ago for a backup router using the Netgate Installer 1.0-RC img. It went fine, but for this backup router, I specifically did not want FDE.

Now I'm doing a test install of 2.8.0 CE via the Netgate Installer ISO in VirtualBox and can't for the life of me see an option in the installer for detailed settings. I can choose ZFS vs UFS and striped, etc., but there is no advanced option for GELI like there were in past installers (e.g. 2.6.x, 2.7.x) prior to the Netgate Installer.

Am I blind, or is this functionality just not a part of the Netgate installer at this point?

Here's the conundrum: If I want GELI, I can use the 2.7.2 ISO/IMG file and then do an in-place upgrade to 2.8.0; however, besides being an extra step, the current upgrade process doesn't upgrade the bootloader in edge cases with GELI.

So basically there is no current way to directly install 2.8.0 and have GELI.

I'm a novice with FreeBSD -- I understand that ZFS runs on top of GELI (as opposed to systems like LUKS, Bitlocker, et al), so can I maybe manually install GELI after the fact? I remember in legacy FreeNAS, it was important to install GELI first prior to ZFS.

Thanks for any comments! (And no, I'm not beating a dead horse justifying to people why in some use cases I want FDE to protect root CA and private keys. I'm sick of that circular argument.) Just politely asking if the Netgate installer supports GELI, and if it doesn't, pretty please add that in the future.

stephenw10

No the Net Installer does not support disk encryption yet.

fireodo

@stephenw10 said in Is GELI FDE option not part of the Netgate Installer 1.0RC?:

No the Net Installer does not support disk encryption yet.

Why would a firewall need a encrypted filesystem? (IMHO)

stephenw10

That's a good question. You could argue that if the firewall itself is physically stolen then an attacker could have access to your VPN keys for example. But if they have physical access to your firewall I would argue you have bigger issues!

It's a very infrequently used option in the old installer so we haven't implemented it yet in the Net Installer.

Finger79

@fireodo said in Is GELI FDE option not part of the Netgate Installer 1.0RC?:

@stephenw10 said in Is GELI FDE option not part of the Netgate Installer 1.0RC?:

No the Net Installer does not support disk encryption yet.

Why would a firewall need a encrypted filesystem? (IMHO)

I already answered above, but in case you're asking in good faith (some others in the past here have argued incessantly even after it's been answered), but I've built out a nice little PKI with root CA and a ton of server certificates and user certificates (e.g. for 802.1x EAP-TLS), so there's dozens of private keys sitting there, on top of the crown jewel of the root CA's private key.

The best practice is to have the entire PKI separate from the firewall/router, especially something that can be on the edge of the network touching the WAN.

I'm a beginner with my homelab, so I just started playing around with pfSense's nifty GUI-based Certificate Manager and ran with it. I chose convenience in my learning process over security. Then when things started maturing and I built more servers and services, it just... grew haha.

I have future projects to build separate infrastructure for signing CSRs, and any future private keys for servers will be stored only on said servers, preferably in HSMs.

But for the time being, all those private keys are stored on the pfSense storage, and I don't want those keys in the clear/plaintext on that device. I don't live in a 100% safe home environment (which I won't get into), meaning I don't trust others here who come and go. So for these and other reasons, my personal preference is to implement FDE to protect the PKI until I can migrate that off the firewall.

Hope that helps. But yeah, in the future I'll also have more VPNs set up, and I'd like those private keys protected.

In a business or enterprise environment, there is much more robust physical security. In a residential setting with people who help themselves to my personal belongings (and then lie about it), my trust can't be that high, so I have to control the things within my control until I can move out to safer pastures.

The tl;dr is to protect private keys (whether root CA, server private keys, user private keys, or VPN private keys). It's a sore issue for me because I've answered this in the past and 1-2 others in the past still insist on arguing and continuing to be confused.

fireodo

@Finger79 said in Is GELI FDE option not part of the Netgate Installer 1.0RC?:

Hope that helps. But yeah, in the future I'll also have more VPNs set up, and I'd like those private keys protected.

In a business or enterprise environment, there is much more robust physical security. In a residential setting with people who help themselves to my personal belongings (and then lie about it), my trust can't be that high, so I have to control the things within my control until I can move out to safer pastures.

OK, I understand. Sorry!