FreeNAS with a full-disk encryption

[Artiom N.]

Hello.

I want to install FreeNAS with my own partitioning scheme:

- boot_partition (optional).
- freenas-root -> GELI -> ZFS (mirrored on the second SSD).
- zil_part -> GELI -> ZIL (mirrored on the second SSD).

Is it possible (it's possible with FreeBSD 11, even without separate boot partition) and how to make this?

 

[garm]

FreeNAS isn’t an operating system, it’s an appliance. To give you any value over plain FreeBSD you need to stick to the GUI and the manual.

What you propose require hacking FreeNAS and the GUI will be next to useless for you. The configuration database will work against you.

Stick to the manual or consider building your own system.

 

[Artiom N.]

I need FreeNAS features and FreeNAS GUI, and I don't want to configure FreeNAS manually, but I want to use full-disk encryption.

 

[garm]

As I said, stick to the manual. Disk encryption is explained in 8.1.1.1. Encryption

 

[Artiom N.]

It's about ZFS pool encryption, but I need root-fs encryption.

 

[danb35]

I'm not sure why you think you need encryption of the OS root filesystem, but if that's a requirement, then FreeNAS isn't your solution.

 

[garm]

You have a roaming server? What is the usecase for root at-rest-encryption?

 

[Artiom N.]

I'm not sure why you think you need encryption of the OS root filesystem, but if that's a requirement, then FreeNAS isn't your solution.

Why not? FreeBSD can do this. OMV, based on Debian, can too (I can do this in OMV, because I use full-system encryption on the several machines, but Linux ).
FreeNAS is FreeBSD with GRUB, tweaks, GUI and very poor installer (unlike OMV, which has the full-featured Debian installer).
After the installation I can make my own partition scheme for the system (i.e., I don't want use both SSDs as a mirror for FreeNAS).
Why can't I make a full-system encryption?
Is it difficult because GRUB?

You have a roaming server? What is the usecase for root at-rest-encryption?

This is offtopic, but pool encryption without system encryption is like a palliative (anyone who has access to the my device, can patch the software, even automatically (yes, I have it in the my threat model and I know about hacks, which can I do to pass it, but I don't want to make hacks, because I know the simple straight way: full-system encryption)).

 

[Artiom N.]

You have a roaming server? What is the usecase for root at-rest-encryption?

Second offtopic.
I think, in Russia we know about this comics better than in Sweden, please don't post it here:

 

[joeschmuck]

Why not? FreeBSD can do this.

But FreeNAS is not FreeBSD, it's been customized to run as an application.

Can what you ask be done? Possibly however if you were able to accomplish this, could FreeNAS updates be applied?

Also, is this a feature that TrueNAS would have and it's a paid feature? Maybe you should contact them to find out.

Maybe this could be a feature request as well but you may need to make your case to iXsystems to consider incorporating this feature.

Lastly, I'm not trying to be difficult here or cause irritation, I'm trying to bring up valid points and that is all.

 

[danb35]

Why not?

Because FreeNAS is an appliance, and it's not designed to do this. No doubt it could be coded in there by the devs (or you could fork it yourself to do this), but it isn't part of the present design.

 

[garm]

At rest encryption only makes sense in some cases. Transit of a powered down system, returning broken disks etc. Anyone with physical access to your running server still has full access. And in those cases it’s trivial to remove the boot drives..
It you need to protect the content of the server while running, at rest encryption isn’t enough. You need to encrypt the content In flight, decrypting only on request and in memory. This is best handled on application level, but even securing the application in flight is no trivial matter.

Now I don’t want to put words in the Dev’s mouths, but I have not seen a mission statement or such leaning towards this kind of security. I get the impression FreeNAS is designed for a physically secure server room, at rest encryption only risks your data in that scenario. Pool encryption is only valid as a way of securing the content of the drives after they have been removed from the system.

If you truly need this level of security you need a system without root drives, loading the OS in RAM on boot. Keys stored physically apart from the server. In flight encryption of vital parts of the OS etc. That is a completely different product then FreeNAS in my opinion.

 

[joeinaz]

Would an SED be a simple solution for encrypting the system installation?

 

[Artiom N.]

But FreeNAS is not FreeBSD, it's been customized to run as an application.
Also, is this a feature that TrueNAS would have and it's a paid feature? Maybe you should contact them to find out.

"We make TrueNAS because businesses don’t want to “DIY”".

Maybe this could be a feature request as well but you may need to make your case to iXsystems to consider incorporating this feature.

I think, it will not be very fast. :-/

Can what you ask be done? Possibly however if you were able to accomplish this, could FreeNAS updates be applied?

I think, yes. Because partitioning is a low level. Updates don't need to know about it.

And in those cases it’s trivial to remove the boot drives..

Or remove the flash with a bootloader.

It you need to protect the content of the server while running, at rest encryption isn’t enough. You need to encrypt the content In flight, decrypting only on request and in memory.

In most cases this is an over-complication. Perhaps, if an enemy has a mobile anechoic chamber and the corresponding electronic equipment, it's necessary.
In "standard case", software altering and cold-boot attack prevention is enough.

Would an SED be a simple solution for encrypting the system installation?

What is SED?

 

[joeinaz]

"We make TrueNAS because businesses don’t want to “DIY”".


I think, it will not be very fast. :-/


I think, yes. Because partitioning is a low level. Updates don't need to know about it.


Or remove the flash with a bootloader.


In most cases this is an over-complication. Perhaps, if an enemy has a mobile anechoic chamber and the corresponding electronic equipment, it's necessary.
In "standard case", software altering and cold-boot attack prevention is enough.


What is SED?

SED = Self Encrypting Disk. The disk has hardware encryption built-in to the disk.

 

[Artiom N.]

Hm... It's a variant. Just one question about it: what kind of encryption is used?

 

[Artiom N.]

And, of course, if I'll use it, I need to buy another SSDs. Like, Crucial MX series. Not very good, but it's possible.

 

[Artiom N.]

And one more problem. I have 3 SSDs and if I replace them with SEDs, I'll need to type the password three times.

 

[joeinaz]

A primer on SEDs:

https://www.pugetsystems.com/labs/articles/Introduction-to-Self-Encrypting-Drives-SED-557/

 

[wblock]

ZIL is built-in. Putting SLOG on a GELI-encrypted drive will negate the performance benefits of having a SLOG.

If we knew what this system would be used for, we might be able to make better suggestions.

 

[Artiom N.]

The performance of my system is sufficient for the my purposes. I don't need to discuss use cases of my system, but I have requirement.
FreeNAS can't satisfy it, OpenMediaVault can. OMV provides me mechanism, FreeNAS restricts me by means of far-fetched policies.
Because FreeNAS developers decided, that their system can be used only in two use cases, which they could imagine.
FreeNAS doesn't even have normal installer: you cut off flexible FreeBSD installer and didn't make "Expert mode" option.
I think, I'll use OMV, despite of Linux ZFS implementation is less stable.

 

[wblock]

You say that your use case is not one of the two use cases FreeNAS developers have imagined. The thing is, if you won't describe it, we still won't be able to imagine it, much less decide on devoting resources to implement it. Please help us understand what you want.