From owner-freebsd-hackers@freebsd.org Mon Oct 5 15:50:59 2020 Return-Path: Delivered-To: freebsd-hackers@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id F2180427AD9 for ; Mon, 5 Oct 2020 15:50:59 +0000 (UTC) (envelope-from asomers@gmail.com) Received: from mail-oo1-f45.google.com (mail-oo1-f45.google.com [209.85.161.45]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4C4lSM0L0cz4463 for ; Mon, 5 Oct 2020 15:50:58 +0000 (UTC) (envelope-from asomers@gmail.com) Received: by mail-oo1-f45.google.com with SMTP id z1so2350310ooj.3 for ; Mon, 05 Oct 2020 08:50:58 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=g6OWImn0PmmlAZJe7EJ/mJ9TzzhPt4JG+DF7vRMjJXw=; b=TnQo9h7VEhpb4DZXuy5hYilro5Xekj2JIOP8wqyZOvU14PC4vEHb2Zyx0R5pFegwU4 lCVJa/QFa5A+j5LglS/cJb8Fusn0wGzXpHhdH1FAD4fFSlBYXxdu0slTrZiSKd6DPVCe oNsXkaHzlSle5hklNVZQNgzvK7SiRRkVLcE3/nDz2o5h3va/eraax06zcdzCMpvwh487 ZIqmMQmY//VA3omoGFjt5AGrW7B77g+7/vIa8zstP1FBOj0crnSOWrrBRyCXkVAC1MeO wm3wWggY7LFV2odadLj9OzRDA/OXwhCbPEAg9dIbpPPHN7nnC4UCCgEJcbM/fGhlzz2A ArQA== X-Gm-Message-State: AOAM530J3h4J3JB2Yzz6nyNLAennfXACytzdlGt9xQ8LI33f2XF9Vt6k RCTr052fJcnqsQhGkvqu+98UnIWP1jIP+Ou6/Vv1K890 X-Google-Smtp-Source: ABdhPJwCID81MoxWfbFv5C26hWurv+CZKvVJVCdl7THcDSeoGCacZch6qgKOWhrkenLSz0L+S4Pyxi8AEIaGUJVTy0w= X-Received: by 2002:a4a:e544:: with SMTP id s4mr78919oot.74.1601913057614; Mon, 05 Oct 2020 08:50:57 -0700 (PDT) MIME-Version: 1.0 References: <8d467e98-237f-c6a2-72de-94c0195ec964@metricspace.net> <630f9133-4f67-92bd-41f9-fb04d985c159@metricspace.net> In-Reply-To: <630f9133-4f67-92bd-41f9-fb04d985c159@metricspace.net> From: Alan Somers Date: Mon, 5 Oct 2020 09:50:46 -0600 Message-ID: Subject: Re: Mounting encrypted ZFS datasets/GELI for users? To: Eric McCorkle Cc: FreeBSD Hackers X-Rspamd-Queue-Id: 4C4lSM0L0cz4463 X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of asomers@gmail.com designates 209.85.161.45 as permitted sender) smtp.mailfrom=asomers@gmail.com X-Spamd-Result: default: False [-1.50 / 15.00]; MIME_TRACE(0.00)[0:+,1:+,2:~]; ARC_NA(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; FREEFALL_USER(0.00)[asomers]; FROM_HAS_DN(0.00)[]; RWL_MAILSPIKE_GOOD(0.00)[209.85.161.45:from]; R_SPF_ALLOW(-0.20)[+ip4:209.85.128.0/17]; RCVD_TLS_ALL(0.00)[]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-hackers@freebsd.org]; DMARC_NA(0.00)[freebsd.org]; NEURAL_HAM_LONG(-1.02)[-1.020]; TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_ALL(0.00)[]; NEURAL_HAM_SHORT(-0.49)[-0.488]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[209.85.161.45:from]; NEURAL_HAM_MEDIUM(-1.00)[-0.995]; FORGED_SENDER(0.30)[asomers@freebsd.org,asomers@gmail.com]; SUBJECT_ENDS_QUESTION(1.00)[]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US]; R_DKIM_NA(0.00)[]; FROM_NEQ_ENVFROM(0.00)[asomers@freebsd.org,asomers@gmail.com]; MAILMAN_DEST(0.00)[freebsd-hackers] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.33 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Oct 2020 15:51:00 -0000 On Mon, Oct 5, 2020 at 9:40 AM Eric McCorkle wrote: > On 10/5/20 11:12 AM, Alan Somers wrote: > > > First of all, what kind of thread are you concerned with? Disk > > encryption does not protect against an attacker with access to a live > > machine; it only protects against an attacker with access to an off > > machine, or to the bare HDDs. Per-user encryption would presumably > > protect one user from another user who has physical access to the off > > server. Is that what you're worried about? If not, then you shouldn't > > bother with per-user encryption. Just encrypt all of /home or all of > > the pool with a single key. > > > > -Alan > > I am evaluating options for domains where use of per-user encryption is > mandated, often as a means of protecting against insider threats. > But if the victim user and the aggressor user are logged in at the same time, then both users' home directories will be decrypted, and unix permissions will be the only thing protecting the victim, right? That situation doesn't sound any better than no encryption at all. And insiders who have offline access to the HDDs would be thwarted by global encryption just as much as per-user encryption. I'm not denying that you may be under some legal mandate for per-user encryption; I just don't understand the motivation. OmniOS has a module that creates a new home directory ZFS dataset the first time. But the last time I looked at it, it didn't include any encryption. -Alan