From owner-freebsd-hackers@freebsd.org Mon Oct 5 15:13:00 2020 Return-Path: Delivered-To: freebsd-hackers@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id BC12D427504 for ; Mon, 5 Oct 2020 15:13:00 +0000 (UTC) (envelope-from asomers@gmail.com) Received: from mail-ot1-f54.google.com (mail-ot1-f54.google.com [209.85.210.54]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4C4kcX02pRz42VD for ; Mon, 5 Oct 2020 15:12:59 +0000 (UTC) (envelope-from asomers@gmail.com) Received: by mail-ot1-f54.google.com with SMTP id q21so8921607ota.8 for ; Mon, 05 Oct 2020 08:12:59 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=xDKXUdtQ6JtRVdK3Fe7xVjNukgqhpzSzoPNOgRuvVtw=; b=XjoMRFVPjmUTPyY5c9g5fbtvSr97vGESv5lNgIqvjROYLCgAr6zI+ENmcw2QAJxqw2 skeUYozlcPagbRIE2SeJXgfs5cACnd4W679jm0ouxky/j9sPdbcM4i8pX/cq0bBlktx7 xGpgh5kBI1HgFCO24oFojbo32XKnTJ6Ed09eEpluvW47GnykWaBDdTDkQMg1IOB7uw6J UmM+MsSGjSOMetLmAAxj6qydx6oigabGE25h8Jaa7rOA5d0UMkmjV3jbxTcQWKTJWL0Y Eqcc09WK60tpheqN7RvfYv66C2hgdI8wORnc0sR2R9lQMDpn3mOym4U4rDnybe/FHvDG ySkA== X-Gm-Message-State: AOAM530qELZ1ITohZR7kfclKp46lhBy8U0FfGpBhoLbz4ZRAX3IJMeQt F5Gpb+Z4/dclpHg95wqKfUCGrrp6OXsJgVR/PAwIkjwQ X-Google-Smtp-Source: ABdhPJxaRkPpluJ1R1ikPIpk/W9eFTN6wWjHG8kMK+XxwHDDYGdlhcVuOl5D+xGFFw71z7CMBz7wT7ZjwALVnGmjQgM= X-Received: by 2002:a9d:34d:: with SMTP id 71mr8929221otv.251.1601910778739; Mon, 05 Oct 2020 08:12:58 -0700 (PDT) MIME-Version: 1.0 References: <8d467e98-237f-c6a2-72de-94c0195ec964@metricspace.net> In-Reply-To: <8d467e98-237f-c6a2-72de-94c0195ec964@metricspace.net> From: Alan Somers Date: Mon, 5 Oct 2020 09:12:47 -0600 Message-ID: Subject: Re: Mounting encrypted ZFS datasets/GELI for users? To: Eric McCorkle Cc: FreeBSD Hackers X-Rspamd-Queue-Id: 4C4kcX02pRz42VD X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of asomers@gmail.com designates 209.85.210.54 as permitted sender) smtp.mailfrom=asomers@gmail.com X-Spamd-Result: default: False [-0.66 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-0.995]; RCVD_COUNT_TWO(0.00)[2]; FREEFALL_USER(0.00)[asomers]; FROM_HAS_DN(0.00)[]; RWL_MAILSPIKE_GOOD(0.00)[209.85.210.54:from]; R_SPF_ALLOW(-0.20)[+ip4:209.85.128.0/17:c]; RCVD_TLS_ALL(0.00)[]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-hackers@freebsd.org]; DMARC_NA(0.00)[freebsd.org]; NEURAL_SPAM_SHORT(0.35)[0.353]; NEURAL_HAM_LONG(-1.02)[-1.020]; SUBJECT_ENDS_QUESTION(1.00)[]; TO_DN_ALL(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[209.85.210.54:from]; TO_MATCH_ENVRCPT_SOME(0.00)[]; FORGED_SENDER(0.30)[asomers@freebsd.org,asomers@gmail.com]; R_DKIM_NA(0.00)[]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FROM_NEQ_ENVFROM(0.00)[asomers@freebsd.org,asomers@gmail.com]; MAILMAN_DEST(0.00)[freebsd-hackers] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.33 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Oct 2020 15:13:00 -0000 On Mon, Oct 5, 2020 at 7:46 AM Eric McCorkle wrote: > I'm presently looking into options presented by ZFS encryption. One > idea I had was something like this (I'm going to go with ZFS for now, > but you could presumably do something like this with GELI, with more > effort). > > You could have your users' home directories on separate ZFS datasets, > with a separate encryption key generated from their passphrase (you > could also generalize this to a session key generated from some other > form of authentication). When a user logs in, their authentication > materials are used to recover the ZFS key, which is then used to mount > the home directory. When they log out, their home directory is unmounted. > > The tricky part seems to be that you need their authentication > materials. I think you could maybe accomplish something like this with > a custom PAM module that would load the key when the user logs in. I'm > less sure how to unload the key when they log out, though. If you could > manage that, then I think standard automounter stuff should be able to > handle mounting and unmounting the actual filesystem as needed. > > Does anyone know of a better way to go about doing this? > First of all, what kind of thread are you concerned with? Disk encryption does not protect against an attacker with access to a live machine; it only protects against an attacker with access to an off machine, or to the bare HDDs. Per-user encryption would presumably protect one user from another user who has physical access to the off server. Is that what you're worried about? If not, then you shouldn't bother with per-user encryption. Just encrypt all of /home or all of the pool with a single key. -Alan