If you’ve been an EDGE user in the past few weeks, or following our Roadmap items for the upcoming 10.1.2 release, you may have noticed a number of new security and privacy related items. I wanted to take a moment to clarify what some of these new features are and what they will do.
– PersonaCrypt –
The first of the new features is a new CLI utility called personacrypt. This command will allow the creation and usage of a GELI backed encrypted external media for your users $HOME directory. We are using it internally to keep our user profiles on USB 3.0 — 256GB hybrid SSD / flash memory stick (Coarsair flash Voyager GTX specifically). This is tied into the PCDM login manager, and user manager, so when you create a new user account, you can opt to keep all your personal data on any external device. The device is formatted with GPT / GELI / ZFS, and is decrypted at login via the GUI, after entering your encryption key, along with the normal user password.
Additionally, the personacrypt command uses GELI’s ability to split the key into two parts. One being your passphrase, and the other being a key stored on disk. Without both of these parts, the media cannot be decrypted. This means if somebody steals the key and manages to get your password, it is still worthless without the system it was “paired” with. PersonaCrypt will also allow exporting / importing this key data, so you can “pair” the key with other systems.
– Tor Mode –
We’ve added a new ability to the System Updater Tray, so you can with a single-click, toggle between running in Tor mode, and regular “Open” mode. This switch to Tor mode, will do the following:
1. Launch the Tor daemon, and connect to the Tor network
2. Re-write all the IPFW rules, blocking all outgoing / incoming traffic, except for traffic to and from the Tor daemon
3. Re-route all DNS / TCP requests through Tor using its transparent proxy support
This allows applications on the system to now connect to the internet through Tor, without needing explicit SOCKS proxy support.
Obviously this alone isn’t enough to keep your identity safe on the Internet. We highly recommend that you read through their excellent FAQ and wiki articles on the subject.
– Stealth Mode –
One of the features we just added to personacrypt is something we are calling “stealth” mode. It is integrated into PCDM, and does the following:
During the login, if stealth mode is selected, the users $HOME directory will be mounted with a GELI backed ZVOL with GELI’s onetime key encryption. This $HOME directory is setup with the default /usr/share/skel data, and is pretty much a “blank” slate, allowing you to login, and run apps as if on a fresh system each time. At logout the dataset is destroyed, or should the system be rebooted, the onetime key is lost, rendering the data useless. Think of it as a web browser’s “private” mode, except for your entire desktop session.
– LibreSSL –
We’ve made the switchover to convert our ports to use LibreSSL by default instead of the base systems OpenSSL. (Thanks to Bernard Spil for his work on this). Our hope is that LibreSSL will help make the system security better, and reduce the number of OpenSSL exploits that our packages may be vulnerable to.
– Encrypted Backups –
The Life-Preserver utility has had the ability for a while now to replicate your system to another box running FreeBSD, such as FreeNAS. This backup is done via ZFS send/recv using SSH, but the data on the remote end was stored un-encrypted and could be read by whomever was administrating the remote box. To provide an extra measure of security to backups, we are in the process of adding support for fully-encrypted backups, using GELI backed iSCSI volumes. This allows us to use ZFS send/recv over the wire, with all the data leaving the box already being encrypted via GELI. Your data on the remote side is fully-encrypted, and only accessibly with the key file you have stored on the client side. This is still in active development and should show up in the EDGE repo in the upcoming weeks, along with some additional details on usage.
We hope you’ve enjoyed this sneak-peek of whats happening with PC-BSD development right now. As always, we love people to test these features in our EDGE repo, and let us know of issues via our bug tracker:
Setting up a FreeBSD / TrueOS home router with IPFW
(Updated 1/13/2015 with in-kernel NAT example!)
Over the Christmas holidays I had some spare time and was ready to take the plunge and retire an old Asus router. It had begun getting rather slow, due to the increasing number of devices connected to our network, and of course I wanted peace of mind using a FreeBSD system I could be sure was up to date with security fixes. I used PC-BSD’s server release, TrueOS 10.1, because I wanted to use ZFS with boot-environments to ensure upgrading and replacing disks would be risk-free down the road. The following details how I setup TrueOS on the new box.
Many users have asked us about the recent OpenSSL Heartbleed bug. This only applies to users of PC-BSD 10.0, users of 9.x and earlier will not be effected.
A patch has gone out this morning to correct the issue, which includes the following FreeBSD security advisories:
By running the graphical “System Updater” you can apply the bug fixes, or via “freebsd-update” at the command-prompt. After applying this fix, please reboot and the systems version should now show 10.0-RELEASE–p9
Kris gets to sit down with a blogger at Texas Linux Fest and discuss a bit about PC-BSD.
I wanted to take this time to give you a status update on PC-BSD / TrueOS, and the direction going forward. As many of you know, we’ve been doing builds of 9.1-RELEASE and 9-STABLE as a “Rolling-Release”. Our new plan is to issue system and package updates on the following schedule:
– Update PKGNG repo on or about the 1st and 15th of the month.
– Update the PKGNG repo on or about the 5th and 20th of the month
– Issue a new “freebsd-update” patch on the 1st, which includes the latest –STABLE version
In addition to the rolling release, we also have some other cool new projects in the works. The first among these is our work to make ZFS the cornerstone of the PC-BSD/TrueOS experience. This will bring features such as ZFS “Boot-Environments”, including the ability to boot directly from them at the boot-loader. If you’ve not run boot-environments before, you will wonder how you survived without them. To accomplish this, we are going to be moving to the GRUB boot-loader, which now has ZFS support. The pbi-manager and Warden already have extensive ZFS support, and we will be enhancing our other utilities, such as “Life-Preserver” with ZFS features as well.
In addition to re-focusing on solely on ZFS as our default file-system, we have had to take a look at the feasibility of continuing with the i386 builds. As many of you know, ZFS is a 21st century operating system and doesn’t play nicely with the legacy i386 kernel / versions of FreeBSD. In addition over the past couple years, more and more of time-consuming issues we’ve encountered have been only on i386, partly due to the fact that most FreeBSD devs have already moved on to 64bit and also due to the quickly shrinking number of users / systems that still run i386. In order to make PC-BSD / TrueOS, secure, stable and timely, we’ve decided to drop the i386 builds going forward, and instead focus on a single 64bit architecture. This means the next editions of rolling-release and 9.2 onward will be 64bit only. If you are already on 64bit, then you won’t need to worry about anything. However if you are running i386 on your box you will need to consider moving it to the 64bit versions in the near future. If your hardware is less than 10 years old then most likely you will be able to do this without any difficulty.
For those helping us test the rolling-release now, I hope to have a new ISO + package set available in the next week or so, which includes the new GRUB boot-loader for Boot-Environments. I will post back details on how to manually setup / test this feature in the near future. Once these new features have stabilized a bit further, we will begin to issue general updates for users of the old 9.1-RELEASE from January to upgrade to 9.1 Rolling Release.
A number of PC-BSD 32bit users have reported problems booting their
systems after applying the latest FreeBSD update patches. We have found the problem and will have a bugfix issued shortly. Once this bugfix is issued, you may then continue re-applying FreeBSD updates. If this has affected your system, you can fix it manually following the directions below.
NOTE: At this time it *only* seems to be hitting users of 9.1-Release on 32bit / i386.
Fixing the problem
If your system has run into this issue, and can no longer boot, you can fix it with the following steps:
1. Boot your 9.1-Release DVD / USB media to the installation screen
2. Right-click on the desktop to open “xterm”
3. Mount your PC-BSD partition:
# mount /dev/ada0s1a /mnt
(Replace “ada0s1” with the disk name / partition number)
4. Copy the original /boot/loader file
# cp /mnt/boot/loader.old /mnt/boot/loader
5. Unmount and reboot
# umount /mnt
# shutdown –r now
A fix named “Boot-loader — beastie” fix has been issued and is being updated to the mirrors as of April 9. Once the update is installed, it is safe to do the freebsd-update.
Since it takes time to sync to all of the mirrors, be sure that it downloads and installs before running freebsd-update.