OPNsense Forum
Archive => 21.7 Legacy Series => Topic started by: mnaim on August 26, 2021, 03:48:59 pm
-
Hi,
is it possible to implement this kind of network unlock of full disk encryption?
OPNSence firewall is full of password, private keys, VPN passphrases etc, os stealing a box or VM is big risk.
But firewall with preboot auth is problem, because unattended reboot will render network unreachable.
Solution is pretty simple like in Linux world Tang - https://semanticlab.net/sysadmin/encryption/Network-bound-disk-encryption-in-ubuntu-20.04/
Is it possible to implement somehow?
Thanks
-
Using Tang is a good solution in big companies where the tang server could be physically separated at another location. Placing the Tang server next to the Opnsense does not improve security. But indeed, stealing the box can be a big risk and can cause sleepless nights.
Edit:
I am looking for a similar solution which can be used at home, but I don't have an idea so far.
-
Dropbear with SSH server to unlock encrypted LVM over SSH? Not quite what you were asking but maybe a help.
-
Dropbear with SSH server to unlock encrypted LVM over SSH? Not quite what you were asking but maybe a help.
This solution is already in place for the home server. But, for the primary network gateway (Opnsense) this does not make sense. Remote pre-boot authentication needs a network connection to the internet which is not available that time.
-
tang could run anywhere from small vps (over internet, yes it is secure) or raspberry zero for 10$ at home hidden in closet :)