Page MenuHomeVyOS Platform

Add support for disk encryption during installation
Confirmed, NormalPublicFEATURE REQUEST

Description

So far, disk encryption is not supported.

It would be good to have an option for this feature during installation process.

Details

Difficulty level
Unknown (require assessment)
Version
vyos-1.4-rolling-202303150317
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Feature (new functionality)

Event Timeline

n.fort changed the task status from Open to Confirmed.Mar 15 2023, 11:40 AM
n.fort triaged this task as Normal priority.
n.fort created this task.
n.fort changed Version from - to vyos-1.4-rolling-202303150317.

Can this be accomplished with LUKS?

The problem is how to make sure that the router can boot and reboot (for example "set system option reboot-on-panic" is handy) on itself without somebody having to connect to its console before it starts to function again. Really shitty situation for a remote site because then somebody needs to visit it aswell.

And when doing so (auto boot even with encrypted storage) then the keys will normally leak meaning it will not provide any real protection. It will also not protect the content while the router is up and running and someone who is not authorized manages to bypass the logins to gain access to it (either by physical access like reboot the device and access password recovery through the boot menu or make its own boot menu or if unauthorized user gains access some other way either through broken service or by leaked credentials).

Having that said if TPM is available then that could be used to automatically provide the decryption key. Another option would be to use some sort of hardware key either in form of yubikey or similar (however they often also require physical access to the site for the key to give out its secrets) or a usb-drive (there are small ones today such as Samsung Fit Plus and similar) where the secrets could be stored at.

It would help the case when the storage gets separated from the box itself or if the storage suddently dies and has to be replaced.

There are use cases when it would be ideal to force a password at boot to protect the contents of the configuration. For example, a portable router with sensitive keys meant for temporary network connectivity.

I agree that a lot of routers need to be able to boot on their own, but that doesn't mean a security option should not be available to those who understand that if it's a remote device that goes down a physical presence will be required to boot it.

And in that case the attacker would just replace your router with their own since they already got physical access to the box.

But again I get that there might be some limited usecases to support this feature and I agree with them.

The feature of using full disk encryption might need to have the addition to also passwordprotect the bootloader, also secure boot might be needed to be added aswell (along with tweaks of the bios/uefi of the box booting VyOS to not allow other kernels which could be used to bypass the encryption or to steal the decryption keys (evil maid)).

The risk of just slap on full disk encryption without doing everything else thats needed is a false sense of security when the attacker then can bypass the protection or steal the decryption keys.

A workaround in the meantime:

Remove the harddrive from the device and boot from a high assurance full disk encryption device such as:

https://istorage-uk.com/product/datashur-pro2/

The above will also protect from bruteforce attacks by deleting itself after 10 (configurable) unsuccessful attempts to put in the correct key.

Since it also have its own pinpad its protected from if the device itself have been overtaken (keylogging). There is also the possibility to have both a readwrite pin aswell as a readonly pin.

When you unplug the drive from the device it will lock itself (like if shit hits the fun unplug the drive and powercycle the device and run and there is nothing of value left on the site).