Dear all, I would like to have LUKS whole disk encryption on opnsense box. How to achieve it? Is there any similar mechanism for HardenedBSD?
There is GELI for that. You would need to perform a manual FreeBSD installation, then use the bootstrap method to install OPNsense on top.
https://freebsdfoundation.org/wp-content/uploads/2019/11/Configuring-Full-Disk-Encryption.pdf
https://github.com/opnsense/update/tree/master
Any others encryption method directly from Opnsense installation ?
You could use self encrypting drives (SEDs).
Quote from: peterwkc on November 27, 2024, 08:33:51 AM
Any others encryption method directly from Opnsense installation ?
If there was I would have told ;)
Install FreeBSD 14.1-RELEASE with GELI, bootstrap OPNsense.
Run OPNsense in a VM on Proxmox, and do encryption there, perhaps?
I wonder what the value would be, though - if someone physically steals your firewall and is able to read the disk, what are you going to lose (besides the hardware)?
The value here is probably a checklist somewhere for compliance.
It's why self encrypting drives exist, just put them in and you can say "Yeah indeed I have encryption thanks"
It's really dead easy. The bootstrap method is a supported way of installing OPNsense and fully documented in the Github repo I linked above.
And the FreeBSD HowTo for a GELI based installation is also quite extensive.
Quote from: peterwkc on November 27, 2024, 08:33:51 AM
Any others encryption method directly from Opnsense installation ?
Why are you not happy with GELI?
I installed OPNsense with this months ago. I don't remember how I exactly I did it, but I can tell you, it was as easy, that I didn't found it worth to document the steps, since it's well documented on Github.