# FreeBSD full disk encryption install and package repository



## zero_devide (Jul 27, 2013)

Hi every body.

Well, I've been for a while a FreeBSD desktop user.

But, due to several networking problems (buggy WiFi and network card drivers; prevalent port building for security purpose with a little configuration, I had to leave FreeBSD for GNU/Linux Distribution (Primary Debian).

But, I hate how Linux distributions are.


     Configuration files are scattered.
     To use the latest version of programs, we usually must use some buggy version.
     There is no real complete documentation.
     It's very hard to learn something, because of no centralized official documents.
     People are mostly arrogant.
 
So, I would like to return to FreeBSD with my "new" configuration, but before installing FreeBSD, I would like to know if some problems are solved, and if it's easy to do several things:


     Is there a real package manager now in FreeBSD, with package up to date? I mean, really up to date repository, like Debian, so that it's not required anymore to build package. (avoid to consume huge time and SSD life)
     Are Core i5 2500k and Z68 intel chipset well supported?
     How is the HD3000 graphics support?
     How is the SSD support? Is trim supported?
     Is AES Core i5 2500k usable in full disk encryption?
     Is it possible to make a full encrypted install, I mean, during the first installation of FreeBSD?
     Is it possible to make a "trim encrypted installation"?
     Where can I find a documentation for a full encrypted install?
 
Thanks.


----------



## wildtollwut (Jul 27, 2013)

There are various package management tools readily available. If the PACKAGESITE environment variable is properly set (e.g. to a 9-STABLE server) you will get reasonably "fresh" packages. I hardly ever build ports with the notable exception of needing custom settings for a few.

Trim is supported since 9.0, however to my knowledge SSDs and full-disk encryption still don't play too well with each other.

A full-disk encryption can be done via GELI, just search for "FreeBSD GELI encryption" plus some additional keywords to obtain a number of good tutorials.

Whether or not your respective goals are "easy" to achieve is not easily answered as it largely depends on your knowledge level and willingness to learn. I can't remember any larger obstacles and usually the features are, if present in FreeBSD, very mature.


----------



## zero_devide (Jul 27, 2013)

> There are various package management tools readily available. If the PACKAGESITE environment variable is properly set (e.g. to a 9-STABLE server) you will get reasonably "fresh" packages. I hardly ever build ports with the notable exception of needing custom settings for a few.



But, are packages updated for security purpose when ports are? Because when I used FreeBSD in the past, ports were updated, but packages were not. So I always had to build package for security reasons. Today, with an SDD and encrypted installation, I would like to avoid it (in order to protect the lifetime of my SSD, and avoid time consumption).



> Trim is supported since 9.0, however to my knowledge SSDs and full-disk encryption still don't play too well with each other.


Does it mean it's not possible, or too risky? So it would mean that I have to leave a FreeBSD installation, until SSDs and full-disk encryption are supported.

And when I ask for the ease of some things, I mean, the update of package with a real up-to-date repository (avoid as much as I can port building), and the SSD trim encrypted installation.

Thanks.


----------



## zero_devide (Jul 27, 2013)

It seems, there is no trim support on GELI volumes:

https://groups.google.com/forum/#!searc ... 5kgsxjqyQJ

Well, the question remains whether packages are really updated for security purposes like ports are, and Intel HD3000 hardware support.


----------



## rusty (Jul 27, 2013)

*SSD wear and tear*

On a 128 GB SSD with 12 GB set aside for the OS and writing 7 GB to disk every day, it would take 422 years to wear out the SSD. A Samsung 840 Pro is guaranteed for 5 years @ 40 GB writes/day.
Building packages with ports-mgmt/poudriere is an alternative, a build instance per core speeds things up nicely and one could also configure it to build everything in RAM if SSD wear was still a concern.


----------



## zero_devide (Jul 29, 2013)

*Correction of my previous post*

Thank you @rusty, but I peeked at https://fossil.etoilebsd.net/poudrie...doc/index.wiki, but I see nowhere a package repository. So I do not understand why building packages with ports-mgmt/poudriere could be an alternative?

So ok, compiling does not hurt an SSD. But what kind of performance impacts of complete disk encryption, on a system during building package, can I expect? Because without a real package repository up-to-date, I will have to build packages to keep my system safe, whenever there will be a security update... And it often happens when we use a desktop oriented OS. Which leads to a too big loss of productivity. (I should stop using potentially dangerous packages (for example X.Org, xserver, Firefox, LaTeX) and wait to create them from source, each time there is a security update.)

So if I understand, there is still no up-to-date package repository with FreeBSD?

Looks like I'll have to stay on Debian :s


----------



## kpa (Jul 29, 2013)

zero_devide said:
			
		

> Thank you rusty, but I peeked at https://fossil.etoilebsd.net/poudrie...doc/index.wiki, but I see nowhere a package repository. So I do not understand why building packages with ports-mgmt/poudriere could be an alternative?



It is for building the packages yourself with the advantage of using a jail(8) to have a clean build environment and automated package repository creation. Official PKGNG package repositories are not yet here because the scarce resources are still being split between the old format repositories that are ATM still the priority and the PKGNG format that is still in beta.


----------



## SirDice (Jul 30, 2013)

zero_devide said:
			
		

> So ok, compiling does not hurt an SSD. But what kind of performance impacts of complete disk encryption, on a system during building package, can I expect?


Why on earth would you do that on an encrypted filesytem? I mean, what are you trying to protect?



> Because without a real package repository up-to-date, I will have to build packages to keep my system safe, whenever there will be a security update... And it often happens when we use a desktop oriented OS. Which leads to a too big loss of productivity. (I should stop using potentially dangerous packages (for example X.Org, xserver, Firefox, LaTeX) and wait to create them from source, each time there is a security update.)


When there's an update you tell poudriere to update and it'll start building. Once it's done building it's about a 5 minute job to update the packages on a client. Which you obviously tested on a test machine. Why would that cause a big loss of productivity?


----------



## wblock@ (Jul 30, 2013)

zero_devide said:
			
		

> Is there a real package manager now in FreeBSD, with package up to date? I mean, really up to date repository, like Debian, so that it's not required anymore to build package. (avoid to consume huge time and SSD life)



Work is going on to get PKGNG repositories up. I don't know when they will be online, but suspect sooner rather than later.

Compiling ports is relatively infrequent.  On the other hand, GELI disks always have CPU overhead, and it would be surprising if it does not slow the speed of an SSD.  So the performance concern seems kind of confused.


----------



## zero_devide (Aug 1, 2013)

> Why on earth would you do that on an encrypted filesytem? I mean, what are you trying to protect?


Are you kidding?



> When there's an update you tell poudriere to update and it'll start building. Once it's done building it's about a 5 minute job to update the packages on a client. Which you obviously tested on a test machine. Why would that cause a big loss of productivity?



It's simple, if there is a real up-to-date repository, there are far fewer steps.

Moreover, I repeat, ports building is time consuming, because I have to wait for the end of port building before using my PC or a program, otherwise, particularly in the case of a security update, I take the risk to use my system with vulnerable programs.

Do you understand? Not _installing_ packages leads to a too big loss of productivity, but _building_ packages.

Besides, how are you all doing in this case? Do you continue to use malicious software, or you stop using your PC?



> Compiling ports is relatively infrequent



Well, so there is no security update? Never? 
Anyway, when I used FreeBSD in the past, updates, including security updates, were very frequent.



> On the other hand, GELI disks always have CPU overhead, and it would be surprising if it does not slow the speed of an SSD.


I'm running Debian GNU/Linux with encrypted LVM and TRIM support, the impact of encryption is invisible relative to a system without encryption.



> So the performance concern seems kind of confused.


Sorry I do not understand :s


----------



## wblock@ (Aug 1, 2013)

Let's say there is a port compile needed once a week.  That is done, takes a while but on a fast machine as described with an SSD, really not very long.  After the update, the machine is at full performance again.

Now put it on a GELI-encrypted partition.  Every disk read and write is slower, and slows the CPU at the same time.  You might save some time occasionally by using packages rather than ports, but I doubt it will make up for the performance drag.  It might be less noticeable, although I find that building ports is usually not very noticeable when using an i5 system interactively anyway.


----------



## SirDice (Aug 1, 2013)

zero_devide said:
			
		

> Are you kidding?


No, I'm wondering why you're trying to protect a system from theft when there's nothing valuable to steal or lose. So they they steal a harddisk with your package repository, big deal. I'd be more worried about your personal or company data. 



> Besides, how are you all doing in this case? Do you continue to use malicious software, or you stop using your PC?


I've just finished setting up a build server for a client. It takes a little under an hour to build all the packages he needs. As for security issues with existing packages, sure, sometimes you have to stop using it momentarily until you can either fix the issue or mitigate it. Most of the time however the issues are minor and the chances of abuse are close to non-existent. 



> Anyway, when I used FreeBSD in the past, updates, including security updates, were very frequent.


That depends on how you count. The base OS has very little security updates, in 2012 there were only 12. When it comes to ports however it'll be a lot more frequent. But since we use the exact same sources as Linux does you will have the exact same problems there. You are going to have to wait for the distribution to create new packages for it.


----------



## zero_devide (Aug 1, 2013)

*With FreeBSD, this not the same problem at all as a GNU/Linux distribution*



> No, I'm wondering why you're trying to protect a system from theft when there's nothing valuable to steal or lose. So they they steal a harddisk with your package repository, big deal. I'd be more worried about your personal or company data.



When and/or where did I write that I wanted to protect from thieves, only package repository data? Indeed, in this case, it's rather useless. Rather, there are personal and company data that I want to protect.



> It takes a little under an hour to build all the packages he needs. As for security issues with existing packages, sure, sometimes you have to stop using it momentarily until you can either fix the issue or mitigate it.



So, loss of productivity.



> Most of the time however the issues are minor and the chances of abuse are close to non-existent.



They remain potentially dangerous vulnerabilities.



> That depends on how you count. The base OS has very little security updates, in 2012 there were only 12. When it comes to ports however it'll be a lot more frequent.



So, you agree, with a desktop installation, vulnerable ports are numerous, so again, it leads to a loss of productivity (building GNOME, LibreOffice, etc is then time consuming).



> But since we use the exact same sources as Linux does you will have the exact same problems there. You are going to have to wait for the distribution to create new packages for it.



No you're wrong, it's not the same problem at all. I will once again try to explain: for example, I'm under Debian, and when there is an update, and I'm aware of if or not, the only thing I had to do to make my system secure, or up-to-date, with their real up-to-date package repository is:


`apt-get update && apt-get dist-upgrade -y`

It takes a few minutes, and my system is now ready to be used. With FreeBSD? After an update I have to do something like this:
`# portaudit -Fda`
`# portmaster -Da`
`# cd /usr/ports/editors/libreoffice`
`# make`
wait a huge amount of time, with no possibility to use the vulnerable software
`# make install`

After several hours, I can finally use my PC. Thus, it's definitely not the same as Debian GNU/Linux.


----------



## wblock@ (Aug 1, 2013)

zero_devide said:
			
		

> With FreeBSD? After an update I have to do something like this:
> `# portaudit -Fda`
> `# portmaster -Da`
> `# cd /usr/ports/editors/libreoffice`
> ...



Except the installed version can still be used while the new version is being built.


----------



## zero_devide (Aug 1, 2013)

> Except the installed version can still be used while the new version is being built.


Unless if the installed version is unsafe, because vulnerable to attacks.

Then, loss of productivity.


----------



## kpa (Aug 1, 2013)

So you're basically complaining that FreeBSD does not have prebuilt packages updated as often as they are updated on other OSes? Put your money where you mouth is 

http://www.freebsdfoundation.org/donate/


----------



## wblock@ (Aug 1, 2013)

zero_devide said:
			
		

> Unless if the installed version is unsafe, because vulnerable to attacks.
> 
> Then, loss of productivity.



You suggested it:


> with no possibility to use the vulnerable software



I'm pointing out that an installed port can still be used while a new version of it is being built.  LibreOffice is probably the worst-case example.  On an i5 with SSD, it takes about four hours to build.  That's without geli(8).  It would be interesting to see how long it took on a geli(8)-encrypted SSD.


----------



## SirDice (Aug 1, 2013)

zero_devide said:
			
		

> So, you agree, with a desktop installation, vulnerable ports are numerous, so again, it leads to a loss of productivity (building GNOME, LibreOffice, etc is then time consuming).


No, I only agree that ports will have a few more security updates. If you look at the VuXML database you'll see there aren't a lot of ports with issues and those that do have issues have been fixed.



> No you're wrong, it's not the same problem at all. I will once again try to explain: for example, I'm under Debian, and when there is an update, and I'm aware of if or not, the only thing I had to do to make my system secure, or up-to-date, with their real up-to-date package repository is:
> 
> 
> `apt-get update && apt-get dist-upgrade -y`


Yes, but this assumes Debian has indeed made the new packages available. It takes time for the issue to be resolved upstream and it takes time for Debian to build the new packages from the new upstream source. In the mean time you are vulnerable. I really don't see the difference since we use the same upstream source.


----------



## zero_devide (Aug 1, 2013)

@SirDice, it seems you do not understand, and you are the one. I give up with you.


----------



## phillipsjk (Nov 29, 2013)

*Re: FreeBSD full disk encryption install and package reposit*



			
				zero_devide said:
			
		

> How is the SSD support? Is trim supported?
> Is it possible to make a full encrypted install, I mean, during the first installation of FreeBSD?
> Is it possible to make a "trim encrypted installation"?
> Where can I find a documentation for a full encrypted install?
> ...



I don't think full-disk encryption and TRIM are compatible unless you are relying on encryption provided by the drive firmware. The reason is that the mere presense of free space is considered sensitive information.

 I found a howto. Obviously software encryption is not needed if you trust the drive firmware to do it for you (and hardware encryption would allow you to use TRIM). Edit: new link references the initial one I found.

I also bookmarked Using a Solid State Drive with FreeBSD. Apparently that page needs to be updated, because as of the 9.2-RELEASE, ZFS supports TRIM by default. Edit2: you can install, then use tunefs(8) to enable TRIM.


----------

