I do this with ZFS using a Keyfile and a script that runs at boot to unlock/mount.
I put the keyfiles on a USB drive. (Make sure you have backups!) This USB drive is hidden, I won’t go into details on how I did that, several ways to do that, you can get pretty creative.
If someone steals my server, they need to know where I hid my USB, or they won’t be able to get to any of the encrypted datasets.
That sounds easy enough, but it creates a situation where I don’t know what updates are important (security) and what updates are minor. So I have to read the release notes for each update and then decide if I need it to patch a security vulnerability.
Where with the other method, I know the update is likely critical.
For some those frequent updates are a +, for me it is not. So use what works best for you!
But right now I couldn’t use opensense even if I wanted to, as it’s FIPS non-compliant due to them still using the depreciated EOL OpenSSH 1.1.1, and no date set to move to v3
chuckle, butthurt downvotes but not one comment to dispute anything I said. Enjoy the depreciated OpenSSL without security updates.
No, I like pfsense because it has less frequent updates and is better documented.
Here is one of the better guides that helps you config much of what you are talking about:
https://nguvu.org/pfsense/pfsense-baseline-setup/
Plus, opensense gets most of their code from the work done by pfsense, and often have to wait on them to push the code. Just look at what happened with TLS 1.3
and a big part of the reason is taxes and regulations. People with $$ don’t care, but everyone in the bottom 75% really takes a big hit compared to their income.
I like little racks