For a very long time now, I've tried to encrypt my FreeBSD server. The official FreeBSD does not have any such feature in the installer, and no port/script available that I know of that does it. TrueCrypt would've been great, but is not properly supported on FreeBSD.
My current "ugly hack" solution has been to abuse the PC-BSD installer to install FreeBSD on one of my servers, because the PC-BSD installer had this feature up until very recently. It simply allows you to answer: "Yes, I'd like you to encrypt my disk.", and then enter the password. DONE! No nightmare. No hassle. Exactly as it should be.
Whenever I bring this up to Unix/FreeBSD people, I'm told it's "easy" and I can "just follow this guide", and then they link to some FreeBSD handbook section or random outdated blog with a one billion step long "tutorial" full of cryptic, scary-looking commands and "magic numbers" (Where did you get that number from? Should I use the same? Why? Why not? And is that a standard/placeholder device/partition name, or exactly what I should be typing?, etc...).
I have also read the existing questions on Stack Overflow (where I also asked this but received zero replies). They are not helpful. I know of the technologies available. This is not the problem. My issue is the actual practical problem of getting the disk encrypted. Without the (high) possibility that something will mess up, which is the case if I'm going to attempt to follow one of these "guides". They are simply not written in an acceptable manner. They don't explain it properly at all. None of them. Sorry.
My dream answer to this question would be for some FreeBSD developer/hardcore user to reply back with this: "Yeah, sorry about this. We've been trying to fix this for years. Please use this solid, well tested script for now, and we'll put it into the installer for FreeBSD 9.3: ./encrypt_machine.sh
I just want to run a solid .sh (or similar) as root, and have it ask me for the password I want to use. And then it does everything on its own. I only have one hard disk, and I just want the damn server encrypted, so that it asks for the password each time it boots. (My ultimate dream would be for the server to not actually ask a human for the password, but to remotely phone home via a heavily encrypted protocol to get the key/permission to boot from my physically trusted machine, but I consider that scenario to be far too good to be true.)
Can you help me? Please read all of this before you do, because otherwise, you are just wasting my and your own time. This is not meant to sound rude, but I know from past experiences that people tend to simply read a random keyword before responding. Maybe this place is different. Hopefully.
I'm fairly sure that there is such a script that I request somewhere out there, tested and solid and safe, but whether it's available is a whole different matter. Personally, I find it completely insane that there is no super-simple, installer-based mechanism to encrypt the entire machine, just like PC-BSD had. (I don't know why they are removing this amazing, obvious feature.)
Thank you so much in advance.
My current "ugly hack" solution has been to abuse the PC-BSD installer to install FreeBSD on one of my servers, because the PC-BSD installer had this feature up until very recently. It simply allows you to answer: "Yes, I'd like you to encrypt my disk.", and then enter the password. DONE! No nightmare. No hassle. Exactly as it should be.
Whenever I bring this up to Unix/FreeBSD people, I'm told it's "easy" and I can "just follow this guide", and then they link to some FreeBSD handbook section or random outdated blog with a one billion step long "tutorial" full of cryptic, scary-looking commands and "magic numbers" (Where did you get that number from? Should I use the same? Why? Why not? And is that a standard/placeholder device/partition name, or exactly what I should be typing?, etc...).
I have also read the existing questions on Stack Overflow (where I also asked this but received zero replies). They are not helpful. I know of the technologies available. This is not the problem. My issue is the actual practical problem of getting the disk encrypted. Without the (high) possibility that something will mess up, which is the case if I'm going to attempt to follow one of these "guides". They are simply not written in an acceptable manner. They don't explain it properly at all. None of them. Sorry.
My dream answer to this question would be for some FreeBSD developer/hardcore user to reply back with this: "Yeah, sorry about this. We've been trying to fix this for years. Please use this solid, well tested script for now, and we'll put it into the installer for FreeBSD 9.3: ./encrypt_machine.sh
I just want to run a solid .sh (or similar) as root, and have it ask me for the password I want to use. And then it does everything on its own. I only have one hard disk, and I just want the damn server encrypted, so that it asks for the password each time it boots. (My ultimate dream would be for the server to not actually ask a human for the password, but to remotely phone home via a heavily encrypted protocol to get the key/permission to boot from my physically trusted machine, but I consider that scenario to be far too good to be true.)
Can you help me? Please read all of this before you do, because otherwise, you are just wasting my and your own time. This is not meant to sound rude, but I know from past experiences that people tend to simply read a random keyword before responding. Maybe this place is different. Hopefully.
I'm fairly sure that there is such a script that I request somewhere out there, tested and solid and safe, but whether it's available is a whole different matter. Personally, I find it completely insane that there is no super-simple, installer-based mechanism to encrypt the entire machine, just like PC-BSD had. (I don't know why they are removing this amazing, obvious feature.)
Thank you so much in advance.