Full disk encryption - any hardware

Does enabling a password for the drive enable encryption? from the Bios?

That's what it's there for.

No, that's right you didn't You just said

If driving up to the remote location and entering the passphrase manually via a keyboard is acceptable for OP, then a modern UEFI-enabled PC with SSD-encryption enabled is probably the least bad option, but whether that is acceptable or not is up to OP.

and the left it up to the reader to figure out that this isn't the only solution.

How the heck am I supposed to know that you have a solution you don't want to share? If you don't want me to object to your negative problem focused style, then try to be more positive. Give us solutions.

Are those really so secret that hardware encryption matters? I don’t know for wireguard since I don’t use it to begin with for security reasons.
But doesn’t Wireguard has it’s own config file?

OpenVPN config file can be encrypted with password if you really want to.

But if someone steals your router then you probably want to change crypro keys anyway.

I'd argue that if OP wants to go through all that effort, they should first secure the hardware anyway: a full metal case that can be locked and can't really be opened without metal-cutting tools, bolted from inside the case to the floor/wall/ceiling or similar that would also require either cutting the case apart or cutting the floor/ceiling/wall.

1 Like

This isn’t a new question on the forum.

There is a reason the real businesses that take information security seriously have network operations centers/rooms/cabinets that are like fort Knox with physical access management, intrusion indication and alarms.

It is always impossible to secure the actual network hardware, so you must control the physical access instead.

For example what happens if the bad boys make access with serial without rebooting and make a ram dump of the unencrypted firmware config and crypto keys files.
And then install a new firmware that hard bricks your encrypted router?

Then the bad boys still have “the secret” information and the OP need to buy new hardware.

2 Likes

No, all the wireguard config is in /etc/config/network so anyone with access would be able to get the private key for any local WG interface or public keys for any peers. But as you point out, encryption would only help anyway in cases where the router isn't running.

Out of curiosity tho, what are the security reasons for not using wireguard?

It say the vpn tunnel was active and the speed was as fast as without vpn tunnel. Because it didn’t use the tunnel, it only said it used the tunnel.

I think a reasonable use case for full disk encryption is that when I want to repair/replace my router, it will be turned off and out of my control.

I like the conversation a lot but we can build use cases all day and I feel like the use cases will have the (security) advantage.

You won't be able to convince me to not use full disk encryption here given the option because this is why I made the topic. I want to get some test speeds, some benchmarks, try and hack my own stuff and possibly tell you the results and how you can fully encrypt your own hardware if you choose.
Will I disable it a week after seeing my router run hot? After a few disk failures because the memory overflowed and my harddrives stayed hot for 24/7 (I use hd-idle) , After I get 28,800 bps because of encryption? probably, but that's a different thread.

I wasn't trying to convince you not do it, but rather discussing the pitfalls. Besides which, I can't think of any reasonable way of doing it other than going to the device yourself and manually checking that it's untampered with and then entering the password.

If it were me, I'd instead secure the physical hardware to the best of my ability and budget and assign unique DDNS etc. credentials to each device, instead of using the same credentials on multiple devices. But oh well, each to their own.

The following may be incomplete and have inaccuracies but it is a shared in good faith to try to be helpful.

I haven't done it but it might be possible to fully encrypt the filesystems but not fully encrypting all data in memory or the cpu registers etc. Using a modern X64 motherboard with TPM2 and UEFI/Secure Boot you could look into using an intermediate bootloader like rEFInd or systemd-boot, or even GRUB2, that supports encryption of / (root), /boot filesystems of the target os. The encryption key for the filesystems can be enrolled into the TPM2 chip for auto de/encryption at boot time. On installation, you generate all necessary cryptographic keys and hashes etc and enroll the appropriate parts into the tpm chip and have the necessary binaries available to the bootloader. You can use an offline live system with all the needed EFI and bootloader updater apps and signing keys to re-sign updates and enroll the new pieces in the tpm on each OpenWrt update. You then re-lock the UEFI and have a complete chain of trust based on your own signing keys and not those included by Microsoft. The bootloader system itself wouldn't be encrypted but it doesn't contain sensitive info of OpenWrt and gets crytpgraphically signed and enrolled into Secure Boot / tpm. Secure Boot crytographically verifies the bootloader files and won't boot into the bootloader if the check fails indicating a modification.

My concerns about ram are about 10%, I will find a way later.

I believe collectively we can agree I will have to use the file that ends in combined-efi.img.gz

"Are you referencing parted magic live?"

Is it stupid to ask if future routers will have TPM?

TPM is really PC-hardware. Embedded devices typically use their own solutions, if they provide such features, like e.g. many microcontrollers and microprocessors allow for saving various kinds of credentials inside the chip in a low-capacity internal flash and using those for encryption and tamper-resistance -- there is no standard, though, and each manufacturer does things their own way.

If it's out of your control, the malicious person could simply turn it on.

Good conversation, though.

However, without the decryption key, no one could turn it on.

Maybe I missed that part of the conversation...but then I'm lost on how the router works (as a router, that is) for the owner.

My bad, carry on...

I was thinking about this very issue the other day.
There are many scenarios I can imagine that you'd want such a feature

Some ideas of what's possible today

  • run OpenWrt as a Guest VM on Linux/OS that can do full disk encryption

  • settle for just encryption of the config, use a usb drive such as the Kingston DT2000 to keep the configs and have a script to load them post boot or drive detection

  • use products from zymbit, if you're on a Pi or similar

In my case I trust the user of the HW but need to ensure that if it gets removed from it's location (powered off) then it cannot come back online without a trusted user to enter the code.

No. I referred to a "offline live system" as a bootable system with the utility programs and signing keys etc on removable media so that the tools and keys needed to make secure changes to the installed router system are not on the router system and therefore not available to an attacker. The TPM, UEFI and file signing utility programs might not be available for running on OpenWrt and running them on a (probably full desktop Linux distro) utility system makes management possible or perhaps quicker to implement and easier to maintain than trying to port those programs to run on OpenWrt.

As an addition - if you enroll the utility system into Secure Boot on the router you could have two way verification. When you boot into the utility system Secure Boot verifies it. You can use utilities and your off-line signing keys, hash values etc with the utility system to verify that the router system and the firmware Secure Boot / UEFI data has not been tampered with.

I presented the idea of looking into Secure Boot after others replied that there isn't a way to encrypt the disk/files and keep the encryption keys private/secure. Secure Boot offers a lot of protection for that on desktop PC type system boards. No system that can be physically accessed is secure from physical attacks at the circuit level.