Date: Mon, 19 Aug 2024 14:47:30 +0200 From: Jan Bramkamp <crest@rlwinm.de> To: freebsd-current@freebsd.org Subject: Re: a zfs thank you :) Message-ID: <d8c5a0b1-6162-4b7a-8bbe-4fea2dd4ee4c@rlwinm.de> In-Reply-To: <ZqpSHAPDcSlikhnC@int21h> References: <ZqpSHAPDcSlikhnC@int21h>
next in thread | previous in thread | raw e-mail | index | archive | help
On 31.07.24 17:02, void wrote: > Hi, > > I was pleasantly surprised when I installed a new [1] zfs-on-root > -current > to rpi4 that when adduser was invoked, I was given the option to > encrypt the homedir. This is a great feature for my context [2]. > > It doesn't automount on boot but I think this is more of a feature > rather than a bug. One can have a different password to the GELI one used > to boot up the whole system. > > I have not tested yet whether one can have the user, once logged in, > mount > their homedir with doas(1). Right now, I mount the homedir like so: > > zfs load-key -a (prompts for password) > zfs mount -a > > as root. > > I could I guess make a doas line for the user for zfs load-key -r > zfsfile/system. > Can anyone suggest any better ideas please? There is the pam_zfs_key.so PAM session module that should do exactly what you're looking for if your users login with a password. It should similar to the pam_ssh.so module if you're already familiar with that one. Unless users provide the password there isn't much file system or disk encryption can do for you against hardware theft since the Raspberry Pi doesn't have any secure key storage nor would the kernel be able to know when it has been stolen and stop auto-loading the keys.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d8c5a0b1-6162-4b7a-8bbe-4fea2dd4ee4c>