LUKS Encryption

[peterwkc]

Dear all, I would like to have LUKS whole disk encryption on opnsense box. How to achieve it? Is there any similar mechanism for HardenedBSD?

[Patrick M. Hausen]

There is GELI for that. You would need to perform a manual FreeBSD installation, then use the bootstrap method to install OPNsense on top.

https://freebsdfoundation.org/wp-content/uploads/2019/11/Configuring-Full-Disk-Encryption.pdf

https://github.com/opnsense/update/tree/master

[peterwkc]

Any others encryption method directly from Opnsense installation ?

[Monviech (Cedrik)]

You could use self encrypting drives (SEDs).

[Patrick M. Hausen]

Any others encryption method directly from Opnsense installation ?

If there was I would have told  ;)

Install FreeBSD 14.1-RELEASE with GELI, bootstrap OPNsense.

[dseven]

Run OPNsense in a VM on Proxmox, and do encryption there, perhaps?

I wonder what the value would be, though - if someone physically steals your firewall and is able to read the disk, what are you going to lose (besides the hardware)?

[Monviech (Cedrik)]

The value here is probably a checklist somewhere for compliance.

It's why self encrypting drives exist, just put them in and you can say "Yeah indeed I have encryption thanks"

[Patrick M. Hausen]

It's really dead easy. The bootstrap method is a supported way of installing OPNsense and fully documented in the Github repo I linked above.

And the FreeBSD HowTo for a GELI based installation is also quite extensive.

[viragomann]

Any others encryption method directly from Opnsense installation ?

Why are you not happy with GELI?

I installed OPNsense with this months ago. I don't remember how I exactly I did it, but I can tell you, it was as easy, that I didn't found it worth to document the steps, since it's well documented on Github.