Install pfsense on full encrypted hard



  • hi all
    pfsense is great firewall. I install it and use, but I want install it on full encrypted hard. in FreeBSD 9, this is possible from bsdinstall but in pfsense installer I cant do it.

    is any way to do that? I want all my partition get encrypted except boot partition. how can I do that?

    thanks a lot


  • Netgate Administrator

    Any particular reason you want to do that? What do you think will be on the hard drive that is sufficiently valuable it requires encrypting?

    Steve


  • LAYER 8 Global Moderator

    ^ same question.. Its a firewall, there is no DATA per say..  So I guess the CA root keys, etc.  But those should have password on them.  Normally a firewall would be in a locked computer room/data center, with controlled physical access.

    So other than just for the sake of doing it, I am curious to the justification for the added work and overhead and issues that might come about in troubleshooting issues, etc.  Your just adding another thing that could fail if you ask me.



  • And how do you plan to boot it each time it powers up? does someone have to be in attendance at the console to put a password in?
    If not, then the authentication keys to open whatever parts of it are encrypted, will be unencrypted on the machine itself. So if the machine/disk/s are stolen it will be quite trivial for the thief to access everything.
    Just wondering how such a thing works in practice.


  • Netgate Administrator

    All good questions. Additionally isn't most of what you might want to protect stored on the 'boot partition' anyway?

    Steve



  • @johnpoz:

    ^ same question.. Its a firewall, there is no DATA per say..  So I guess the CA root keys, etc.  But those should have password on them.

    I've noticed that CA root keys and other private keys (such as when creating an OpenVPN roadwarrior setup) are stored in plaintext.  How does one password protect them on the pfSense box?  I'm also slightly interested in full disk encryption, despite the inconvenience of having to manually unlock the drive with each reboot.  I want the option just for fun.  Heck, there's a lot of firewall logs, Snort logs, and all package logs that are hosted on the box, and some of us run pfSense in an unsecured home environment where physical security is not guaranteed in the event of burglary.

    Famous Snowden quote:  "Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it."

    So if one is implementing a VPN endpoint on a pfSense box itself (including the CA), I'd like to protect the entire endpoint including the private keys and root keys and all config and log files (I don't have a dedicated log server implemented).  Otherwise I might as well spin up a dedicated OpenVPN box and have pfSense merely port forward to that box.

    So someone educate me:

    (1)  The issue of full disk encryption aside, how does one password protect CA root keys and other private keys residing on the pfSense box?
    (2)  Is it possible for any of us to implement something like GELI full disk encryption ourselves without waiting for the remote unlikely chance that this feature is officially included in a future release?


  • Netgate Administrator

    You might check out the some what undocumented web installer. I've never used it but I know it has various file system options there that aren't available in the text installer. Boot the live CD then go to /installer/
    http://forum.pfsense.org/index.php/topic,62156.msg335814.html#msg335814

    Steve



  • Keep in mind that fully encrypted hard drives are only encrypted when the machine is not running. Routers are like appliances, running all the time…

    Anyway I'd look at running pfsense in a virtual machine, which is on a fully encrypted drive. Don't know if that is possible though. Might be better to just load pfsense on a usb drive and take it with you when you aren't running the router.



  • Regardless of the fact that encrypted hard drives are only encrypted when server is off, our corporate policy states that all server hard drives are to fully encrypted.
    We are not the only company to have this policy, and we will not be the last.
    We run a dark computer room remotely, and run Mandos on all of our other servers to do the password answering for those power off times.

    Also, since we run pfSense in a DMZ with a policy of bare metal for DMZ machines for DR purposes, having it on a Virtual Machine is an issue.

    So, does anyone out there have any notes on the "undocumented" web installer?
    Is there a reference for encrypted hard drives?

    Thanks,
    Tom


  • LAYER 8 Global Moderator

    "our corporate policy states that all server "

    Its not a SERVER – its a firewall/router ;)  Do you have the compact flash of all of your cisco routers encrypted?



  • Don't use Cisco, overpriced and overblown for most equipment (speaking with 20+ years of using them).

    However, that was not the question asked.

    Sounds like politico talk  ;D

    Got your point, will try to approach my client with this, but pretty sure he will not buy it.
    Thanks for your quick response, I actually do appreciate it!

    Tom


  • LAYER 8 Global Moderator

    Cisco was just an example - So I am curious if your other networking equipment that has storage like compact flash - which in sense is the same as a hard drive. Are they encrypted?

    How do you want to define "server" anything you can ssh to or telnet too could be considered a server if you want to blanket.. They serve up that service so server.  Is their storage encrypted?



  • No, flash memory in routers is NOT encrypted.
    However, outside routers contain do not contain any passwords in cleartext which could compromise the integrity of the network.

    Although we have doubts that pfSense would be compromised due to our current architecture, so did Target.
    As a former bank employee, I know that hackers with nothing else to do simply find this stuff a challenge (admit it….)

    So, back to the original point, is there a know way to install pfSense to encrypt the hard drive? Without using a Virtual Machine?

    Thanks,

    Tom


  • Netgate Administrator

    Never tried it, probably one for the devs, but the relevant options appear to be in the kernel:

    options   GEOM_BDE
    options   GEOM_ELI 
    

    You can use geom to set up software mirroring so it seems at least feasible.
    https://doc.pfsense.org/index.php/Create_a_Software_RAID1_(gmirror)

    Steve


  • LAYER 8 Global Moderator

    Other than the CA private key which does not have a password - but does not need to be stored on pfsense if that is really a concern.  What passwords would be stored on pfsense in clear that could compromise the integrity of the network?  I am honestly curious on this thought process.

    Is the pfsense admin password stored in clear?  lets say it was - to gain access to this wouldn't the box already have to be compromised, or have physical access to it.. So wouldn't the security already be compromised?

    Are you saying that users vpn or cert passwords are stored in clear?



  • @oldparrothead:


    As a former bank employee, I know that hackers with nothing else to do simply find this stuff a challenge (admit it....)

    So, back to the original point, is there a know way to install pfSense to encrypt the hard drive? Without using a Virtual Machine?

    Thanks,

    Tom

    Disk encryption is not a defense against hackers.  When the machine is up and running the contents are accessible to any hacker that finds their way in.

    Disk encryption only protects the contents of and off system.  Typically in the case of physical theft.

    Please note.  I'm not arguing against the value of pfSense disk encryption.  Just pointing out that it is not a hacker defense for an up and running system.

    Depending on packages, logging, type of business, etc. it is probably reasonable that sensitive data could be on the system that should be protected in the case of physical security breach and theft.

    Perhaps off loading the storage logs, etc. could be a solution.

    Regarding the need to be present to enter a passphrase to reboot.  This is only the case if the encryption cannot make use of a TPM or such.  Merely being able to boot the machine does not provide a thief access to the contents.  They still would need valid user credentials.  But the encryption, even with TPM to unlock prevents the drive from being slaved to another system to gain access.

    And by the way probably any government agency that would physically take your equipment can probably coerce you or some other employee to divulge the passphrase.

    Just some things to think about when pondering what it is you are trying to protect and from whom and in what circumstances.


  • Netgate Administrator

    Sometimes it's easier and quicker to just do something that you've been instructed to do even if you know it's not going to help one iota. That assumes of course that it isn't going to actually make things worse.  ;)

    Steve



  • @stephenw10:

    Sometimes it's easier and quicker to just do something that you've been instructed to do even if you know it's not going to help one iota. That assumes of course that it isn't going to actually make things worse.  ;)

    Steve

    Yup.  It's no wonder so many companies, organizations and gov. agencies, do so many dumb things.

    Those giving the marching orders aren't the ones with the knowledge, just simply those with the power and political influence, etc.



  • @johnpoz:

    Other than the CA private key (and other private keys and shared keys) which does not have a password - but does not need to be stored on pfsense if that is really a concern.

    Is there a way to encrypt and password protect the CA private key if using the native pfSense CA?  Ideally I would have a separate physical keyserver that's 100% offline, but that's a project for another day.

    And also, ideally, I would offload a lot of the logs to another log server or repository, but that's also a project for another day.

    I'm still very interested in implementing GELI full-disk encryption (with manual passphrase entry every reboot) to help mitigate physical theft from some meth-head burglar breaking into my house.  I think most people are fully aware that any mounted encrypted disk, container, or partition – while running -- is transparently and fully in the clear.  I think those of us interested in full-disk encryption are merely trying to mitigate physical theft from common thieves.


Log in to reply