Sane way to encrypt a FreeBSD server?

Status
Not open for further replies.
U

uyioo5etsh

For a very long time now, I've tried to encrypt my FreeBSD server. The official FreeBSD does not have any such feature in the installer, and no port/script available that I know of that does it. TrueCrypt would've been great, but is not properly supported on FreeBSD.

My current "ugly hack" solution has been to abuse the PC-BSD installer to install FreeBSD on one of my servers, because the PC-BSD installer had this feature up until very recently. It simply allows you to answer: "Yes, I'd like you to encrypt my disk.", and then enter the password. DONE! No nightmare. No hassle. Exactly as it should be.

Whenever I bring this up to Unix/FreeBSD people, I'm told it's "easy" and I can "just follow this guide", and then they link to some FreeBSD handbook section or random outdated blog with a one billion step long "tutorial" full of cryptic, scary-looking commands and "magic numbers" (Where did you get that number from? Should I use the same? Why? Why not? And is that a standard/placeholder device/partition name, or exactly what I should be typing?, etc...).

I have also read the existing questions on Stack Overflow (where I also asked this but received zero replies). They are not helpful. I know of the technologies available. This is not the problem. My issue is the actual practical problem of getting the disk encrypted. Without the (high) possibility that something will mess up, which is the case if I'm going to attempt to follow one of these "guides". They are simply not written in an acceptable manner. They don't explain it properly at all. None of them. Sorry.

My dream answer to this question would be for some FreeBSD developer/hardcore user to reply back with this: "Yeah, sorry about this. We've been trying to fix this for years. Please use this solid, well tested script for now, and we'll put it into the installer for FreeBSD 9.3: ./encrypt_machine.sh

I just want to run a solid .sh (or similar) as root, and have it ask me for the password I want to use. And then it does everything on its own. I only have one hard disk, and I just want the damn server encrypted, so that it asks for the password each time it boots. (My ultimate dream would be for the server to not actually ask a human for the password, but to remotely phone home via a heavily encrypted protocol to get the key/permission to boot from my physically trusted machine, but I consider that scenario to be far too good to be true.)

Can you help me? Please read all of this before you do, because otherwise, you are just wasting my and your own time. This is not meant to sound rude, but I know from past experiences that people tend to simply read a random keyword before responding. Maybe this place is different. Hopefully.

I'm fairly sure that there is such a script that I request somewhere out there, tested and solid and safe, but whether it's available is a whole different matter. Personally, I find it completely insane that there is no super-simple, installer-based mechanism to encrypt the entire machine, just like PC-BSD had. (I don't know why they are removing this amazing, obvious feature.)

Thank you so much in advance.
 
I did read your whole post. Sorry, I don't have your dream answer, but just a link to an article: Directory encryption using PEFS. As you can tell by the article title, it's not drive encryption, but directory encryption. I mention it because it might be interesting, but also warn you, so you don't waste your time.
 
I deleted your test post, yes. I also deleted a double post. If you get a message your post is held for moderation wait until a moderator releases it.
 
wblock@ said:
In this situation, I would look at how the PC-BSD installer is doing it. I believe their install scripts are sh(1) scripts using pc-sysinstall(8).
Click to expand...

I wouldn't know how to begin to check how PC-BSD's installer does it. In either case, I wouldn't feel good relying on that extracted piece of code. Especially as they are apparently removing it...

Is there really nobody who agrees with my situation?
 
I'm having a hard time to understand the problem here.

In your first post you basically state that none of the available documentation fits your needs because they don't explain the process properly. The FreeBSD handbook is most certainly not outdated, and I'm also curious what exactly it is which you don't like about the way both procedures are explained?

It looks pretty straight forward to me; a clear step by step list of things to do.

I'm getting the feeling that your real complaint is that this encryption procedure isn't automated as of yet, which is quite a different issue.

(Edit:)

As to your question as to people agreeing or not, I'm a little indifferent. It's nice if something gets done automatically, but I put more value in having access to information which explains the whole procedure than having my hand held. That doesn't mean I don't value any extra automation, but not enough to consider it a lack of functionality.

Same applies (to some extend) to ZFS. Awesome filesystem, yet not automatically set up by the installer. But there is plenty of information available which explains the whole procedure so in the end nothing stops you from setting up a ZFS only FreeBSD environment. Just not automated.

And that doesn't really bother me at all to be honest.

Because of 2 main reasons: Installation is something you don't do very often. But if you do need to do this, the second reason, then you'll have all the tools available to build such an automated install process yourself.

That's basically all I care for.
 
The new bsdinstall(8) replaced the age old sysinstall(8). The new installer is built a lot more modular so adding things like ZFS or encryption should be possible. This was extremely difficult and painful to do with the old installer. However there's still quite a bit of work to do to get the installer working properly on all the different architectures FreeBSD supports. Once that's done features like ZFS and encryption support can be added. But the current focus is on stability rather than new features.

So, there's really nothing else you can do at this point in time. Either continue to use the PC-BSD installer or invest some time reading and understanding how to do this by hand. Which, in my opinion, isn't really that difficult, it's explained rather well in the handbook. But, if anything's unclear or not understood properly please say so. The handbook is continuously updated and suggestions for improvements are very much appreciated.
 
Firstly, I find this guide is simple and explains what is being done. Is it one of those you considered insufficient?

Secondly, by "encrypting the server" to do you mean
  1. running a script that will fully encrypt the harddrive (except the bootloader in /boot), or
  2. installing an encrypted server from scratch?

As far as I know, the first option is close to impossible. You have to back up your data, reinstall the server and restore the data.

PS on the "magic numbers" :): The single problem I've had with the guide above (which is written for 9.0-RELEASE), was the size of the boot partition. The guide suggests
Code: 
gpart add -t freebsd-ufs -s 256m -l boot ada0
which is not enough for GENERIC kernel and modules in 9.1-RELEASE. Using -s 512m (i.e. 512 megabytes for the boot partition) is sufficient.
 
marwis said:
Firstly, I find this guide is simple and explains what is being done. Is it one of those you considered insufficient?

Secondly, by "encrypting the server" to do you mean
  1. running a script that will fully encrypt the harddrive (except the bootloader in /boot), or
  2. installing an encrypted server from scratch?

As far as I know, the first option is close to impossible. You have to back up your data, reinstall the server and restore the data.

PS on the "magic numbers" :): The single problem I've had with the guide above (which is written for 9.0-RELEASE), was the size of the boot partition. The guide suggests
Code: 
gpart add -t freebsd-ufs -s 256m -l boot ada0
which is not enough for GENERIC kernel and modules in 9.1-RELEASE. Using -s 512m (i.e. 512 megabytes for the boot partition) is sufficient.
Click to expand...

Yes, that's one of the ones I find unacceptable. Just look at the many instructions. So much could go wrong (and will). I have no interest in any of it. I just want to encrypt my server.

As for your question, I don't really understand what you mean by it. I'm just talking about encrypting the entire drive. It doesn't need to be done "while running". It is preferable if it's done at the installation stage.
 
uyioo5etsh said:
It doesn't need to be done "while running". It is preferable if it's done at the installation stage.
Click to expand...
It's actually not even possible to do this on an already installed system. You can't 'convert' a system. If you want to set up encryption it must be done prior to installation.

It involves three steps basically:
  • set up encryption
  • partition the drive
  • install the OS
 
uyioo5etsh said:
Yes, that's one of the ones I find unacceptable. Just look at the many instructions. So much could go wrong (and will). I have no interest in any of it. I just want to encrypt my server.
Click to expand...

If you spend a some time you can easily convert those many instructions into a script or Makefile. That way you can easily automate and thus recreate the setup. The process will force you to find out how it works. As a benefit that will also teach you how to diagnose and fix errors.

I created a Makefile to automate one of the popular ZFS install procedures by @vermaden. It now does not take me more than 5 minutes to do such an install.

I can understand that people want to encrypt their laptop or home server, so that in case it gets stolen, unauthorized access to the data is prevented. But IMHO for a server in a data center it just complicates things ;)
 
Last edited by a moderator:
J65nko said:
But IMHO for a server in a data center it just complicates things ;)
Click to expand...

Quite the opposite: different groups of people are responsible for different parts of the infrastructure. If you encrypt the root device and all other devices and enforce the passphrase prompt during the boot of a virtual machine, the virtualization administartors, backup administrators and datastore administrators do not see your data. All they can do is read and/or modify the bootloader /boot which should thus be treated with special care. They could also corrupt the encrypted data which would be noticed if the bootloader's integrity is preserved.
 
I'm not sure what you expect documentationwise on this. The docs being linked here are easy and straightforward and honestly, compared to most technical documentation that I deal with on a daily basis are very well done.

If you're having trouble following simple step through guides then perhaps server administration isn't your cup of tea? Getting irate and demanding that people spoon feed you answers isn't going to get you very far. I think if you spent as much time actually following the guide as you have foaming at the mouth on forums you would have had a measure of success already.
 
Durden said:
If you're having trouble following simple step through guides then perhaps server administration isn't your cup of tea?
Click to expand...

Yeah, THAT's an "unexpected" ******* reply...

Durden said:
I think if you spent as much time actually following the guide as you have foaming at the mouth on forums you would have had a measure of success already.
Click to expand...

And I think you are just as useless as the "documentation" and "guides" which don't explain anything properly. But that's the "Unix way", as I have come to realize over the many years I've been forced to use this piece of garbage in lack of a better alternative. (Because Unix ruined any chances for real operating systems to thrive and evolve.)
 
So ..
  1. You don't want to read documentation
  2. You don't want an easy summary
  3. You don't want to try an easily executable process
  4. You don't want to invest any time
  5. Any suggestion to solve the issue is unacceptable to you
  6. Any criticism is met with derision and seen as a personal assault
  7. You'd rather not use anything UNIX-based

Why are you on this forum, exactly?
 
SirDice said:
The new bsdinstall(8) replaced the age old sysinstall(8). The new installer is built a lot more modular so adding things like ZFS or encryption should be possible. This was extremely difficult and painful to do with the old installer. However there's still quite a bit of work to do to get the installer working properly on all the different architectures FreeBSD supports. Once that's done features like ZFS and encryption support can be added. But the current focus is on stability rather than new features.
Click to expand...

Coincidentally, a committer who has worked on bsdinstall spoke about this exact topic on Wednesday and I think he pretty clearly gives a "dream answer". If you're not interested in bsdinstall you should watch it anyway just to check out his wizard-beard.
 
Durden said:
I'm not sure what you expect documentationwise on this. The docs being linked here are easy and straightforward and honestly, compared to most technical documentation that I deal with on a daily basis are very well done.

If you're having trouble following simple step through guides then perhaps server administration isn't your cup of tea? Getting irate and demanding that people spoon feed you answers isn't going to get you very far. I think if you spent as much time actually following the guide as you have foaming at the mouth on forums you would have had a measure of success already.
Click to expand...

Another suggestion is to practice following the steps on a spare machine. I have seen some instructions that take a lot of steps. So it's usually a good idea to try following the instructions on a spare machine or a spare hard drive on my current machine. Sometime, I have a lapse in my mind while following the steps and I just make a mistake, I either make a mental note from my mistake or write somewhere on a certain step to re-clarify the process. If you just make a mistake on a spare machine then there's no harm to production data. Be sure to test the process so you may understand better before you do it on a production machine.

Sure, it would be nice to have a sane way for some complex instructions. But for FreeBSD handbook, I'm quite sure the chapters in the handbook have been tested many times. That's good to know as it should be fine to follow the steps.

I like @J65nko's suggestion. If my steps are script-able then I always can create my own script to reduce the time and steps to take.
 
Last edited by a moderator:
uyioo5etsh said:
Yeah, THAT's an "unexpected" ******* reply...



And I think you are just as useless as the "documentation" and "guides" which don't explain anything properly. But that's the "Unix way", as I have come to realize over the many years I've been forced to use this piece of garbage in lack of a better alternative. (Because Unix ruined any chances for real operating systems to thrive and evolve.)
Click to expand...

So what you're saying is that you don't actually want to do anything. How exactly is this supposed to get done? Osmosis? At some point you're going to have to either put your big boy pants on, knuckle under and put in some effort or go play with Windows Server 2012 and pay the 700-5000$ needed to make it happen.

No one is going to spoon feed you here or really anywhere else. Especially with an attitude like yours. Frankly I'm hesitant to even reply as I'm pretty sure you're just some 13 year old forum troll.
 
From one position I can understand him. All of you, you know that I really love FreeBSD and yes is very hard to me. I am user from FreeBSD 7 and still I don't know the system well. (Maybe is because I don't know very good english and reading for me is something that I just have a quick look. I just not translate things. I try to understand the meaning from words). Well the point as far as I understood, is not exactly the disk encryption but the non automated things. Is ridiculous to blame FreeBSD about that fist of all because I use this os everywhere on my home (except my girlfriend's computer) and second because I cannot blame something when me as user cannot help to make it better (out of knowledge). But me too, I want some things just to work. Sometimes the handbook don't give me the answer and I must search on a buried post to tell me. Hey! bro. 6 months now, cups are just set up fine. Don't read 50000 config files to find why is not working. Just the printing command is not /usr/bin/lpr but /usr./local/bin/lpr!
Yes. Toked me six months to find why my printer is just not printing!!!! I tried all the ways of auto-mount but none is just worked. Some worked for just some days and suddenly just stop working. I am rare complaining but yes. I just want some things to be more automated. We are in 2013 and we are going to 2014. We live in a century were technology is tremendous and the best, strongest and most secured operating system on this world needs to manually mount a usb stick by hand. I must read all tutorials on this world, post on forum, send pr, speak with maintainer, read the handbook, hack from pcbsd to just hope that my new shiny Bluetooth keyboard where I gave all my economies to buy it to make it work.
I know that GUI is not and will never be priority of FreeBSD. I am not against this. But scripts could help some things to be just auto configured. When you are a business man, you have not the time to search, post, wait for answer etc. You need this and you need it now.
When a company comes and tell you. I have 10 servers. Put FreeBSD to all of them, setup 10 printers, build apache, mysq etc and you have a deadline of one week you just have not the time to post on forum why this is not working and how to make it work. You need the wifi card auto configured and you need it now. From this point I can understand his angry but this is not the right way. Screaming and blaming is not helping anyone.
 
Durden said:
So what you're saying is that you don't actually want to do anything. How exactly is this supposed to get done? Osmosis? At some point you're going to have to either put your big boy pants on, knuckle under and put in some effort or go play with Windows Server 2012 and pay the 700-5000$ needed to make it happen.
Click to expand...

Wow. You managed to squeeze in both a reference to Windows and a troll accusation in the same post. Amazing. You are one rude person, but that's OK -- you are in good company in Unix circles.

Durden said:
No one is going to spoon feed you here or really anywhere else. Especially with an attitude like yours.
Click to expand...

Well, I never...! How dare I ask for a sane way to do things?! What an attitude!

Durden said:
Frankly I'm hesitant to even reply as I'm pretty sure you're just some 13 year old forum troll.
Click to expand...

That's alright. I would've survived without your troll post, Mr. 13-year-old. Too bad you did anyway. Oh, well. Your day is not complete if you don't get to derail a discussion or two, I guess.
 
Moderators must lock this thread. Decry and irony is not the right way of discussion or @uyioo5etsh can be more friendly and receptive if he really need our help. Maybe not with the "easy way" but there is a way to encrypt the server. Complaining will not solve the problem. This is the only sure.

Also
Way 1) Pay a programmer to start scripting for FreeBSD
Way 2) Start scripting by own to help FreeBSD
Way 3) Accept the current solution, be patient and friendly
Way 4) Make a suggestion with the right way and discuss how to do it better
Way 5) Change OS

There is no other way. Sorry
 
Last edited by a moderator:
Linux and its respin hell has largely choked out other unique operating systems, but real Unix is not to blame for that and FreeBSD does not fall under the category of Linux, so I don't know why you're bashing FreeBSD.

Encryption on FreeBSD is not that difficult, but you have spend the time to figure it out. If you can't you really should be looking at Windows Server or some other commercially supported OS. That's the thing with free software, you're on your own largely. There are lots of tutorials around that you could use to make a script that could automate the process.
 
Status
Not open for further replies.
Back
Top