[Feature Request] Router Full Disk Encryption



  • Full Disk Encryption included in the PFsense standard installation would be nice. With Squid proxy cache, routing tables, VPN keys, and the central Certificate Authority our PFsense routers are vulnerable to physical manipulation attacks. Does anybody else think this may be a good idea for local routers?



  • If someone gains access to your machine physically then encryption of your disk won't help….



  • Encryption of the disk only defends against physical attacks where the system was powered off when it was taken and where the system required user intervention (the entering of a pass phrase) when started. It doesn't protect against remote attacks, any local attacks where the system is running or at all if the system can automatically boot without a pass phrase. It also means that you need to be at the device to boot it - no remote reboots or upgrades and if there is a power failure you need to be at the device to boot it again.

    In short, it doesn't provide a network device with much protection and it adds considerable inconvenience.

    FreeBSD, on which pfSense is based, has disk encryption so it is possible to do. I don't know if the required modules for geli are in pfSense though.



  • Possible use HDD with hardware AES256 sequrity as Toshiba MK1661GSY/ MK6461GSY ?


Log in to reply