What's New BSD 10.2

A Look at the New PC-BSD 10.2

Since PC-BSD 10.1 was released in November 2014, there have been many exciting new features and fixes pushed into the latest version, 10.2. Some of these changes are large, while others occur behind the scenes to improve the PC-BSD experience. Among these changes are a brand new updating scheme, changes to disk partitioning with support for EFI, new privacy & security utilities and a new remote accessible AppCafe. In this article, we will take a closer look at two of these, system updating and the new privacy / security options in the form of PersonaCrypt.

The first of the new features was a large update to the entire system updating process used by PCBSD. Historically, PC-BSD has used the standard updating mechanisms in FreeBSD, such as ‚freebsd-update’ and ‚pkg upgrade’ in an automated fashion. One of the biggest pain-points, however, was the sheer complexity in dealing with packages and their related dependencies. While the recent updates to PKGNG have helped with the complexity, there were still too many failed upgrades for comfort, often preventing the PC-BSD tools from running in an automated fashion. To assist with this problem, PC-BSD had Boot-Environments functionality that allowed rolling back if something went wrong, but we still wanted to fix the underlying problems. To do so, we came up with a new mechanism for doing system updates that relies upon the power of ZFS/Boot-Environments and the existing FreeBSD tools.

The new “update” process on PC-BSD works in the following manner. When performing an update of any packages, it first queries the local package database to determine the “top-level” packages, those installed by the user which nothing directly depends on. This list is saved as the master package list of the system and used immediately to begin the process of downloading the latest versions from the mirrors. These files are stored in a local cache on disk, which is cleaned of obsolete packages before any upgrade. Once the top-level packages and the related dependencies are downloaded, the update moves into its next phase. A new ZFS Boot-Environment is created and then prepared, first by cleaning out the old packages and then re-installing the top-level packages only. This helps bypass the issues which occur while trying to solve the conflicts between old and new dependencies of the toplevel packages. Once the update is finished, the new BE is marked as “active” and the user is notified that they can reboot when they are ready to load into the updated system.

Using this method has proved advantageous in a number of ways. First, the currently running boot-environment is never touched. This means you can keep working and using a system without interruption and reboot only at your convenience, such as at the end of the day. Secondly, while failures are much less likely, they are also no longer going to interrupt the system. Updates can be re-run as many times as desired, with the new BE created and flagged as active at the finish. Lastly, package updates become much more reliable, since we are duplicating the process of installing packages fresh, where there are no packages on the box to cause conflicts in the first place. This has already proven to be a much more reliable upgrade process, even allowing us to do daily or weekly updates with ease.

Fig 2: Current BE is cloned and new packages installed

In addition to the new updating methods offered in PCBSD 10.2, there have also been major changes to improve both security and privacy. For the past several months, the entire package repository for PC-BSD has been switched to build against LibreSSL, instead of the default OpenSSL used by FreeBSD upstream. This change is almost entirely transparent to end-users, but offers a much smaller vulnerability target and often less critical security updates being dropped on us from upstream. 10.2 also brings with it the new utility “PersonaCrypt” and graphical options for system-level Tor proxy.

PersonaCrypt provides some unique methods to improve user privacy. It is integrated with the PC-BSD graphical login manager (PCDM) to do the following:

• Allow the users $HOME directory to be stored on an encrypted external media using GELI/ZFS.
• Perform “Stealth” mode logins, where the $HOME directory is created on a GELI-backed one-time encrypted image with no personal information contained within.

The first of these options can be used in a couple of interesting ways. It can be used either with a secondary internal disk to provide a separate encrypted $HOME directory for a single system, or it can be used with external media (such as a USB stick) to provide a portable $HOME directory. The key is automatically split into two parts, so that  the first resides on the local system, while the second part is provided as a password at the login screen. PersonaCrypt allows the system key file to be exported from the initial system, and imported or “paired” with another system, such as in the case of a desktop and laptop. This means, should the external media be lost or stolen, it cannot be accessed without both the system it is paired to, and the user-password. It also can be used as a convenience option, where moving your entire $HOME directory between two desktops (such as home and office) can now be done in an offline and secure manner. With media using ZFS, it also means that snapshots and replication options can be used for backups either manually, or via PC-BSD’s Life-Preserver utility.

Reference:
Moore, Kris. 2015. BSD Magazine: For Novice and Advance User, vol. 09. Warsaw. Hakin6 Media SK.