From nobody Mon Aug 19 12:47:30 2024 X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WnXSD4B45z5Syhp for ; Mon, 19 Aug 2024 12:47:40 +0000 (UTC) (envelope-from crest@rlwinm.de) Received: from mail.rlwinm.de (mail.rlwinm.de [IPv6:2a01:4f8:171:f902::5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4WnXSC6Gqvz4fsX for ; Mon, 19 Aug 2024 12:47:39 +0000 (UTC) (envelope-from crest@rlwinm.de) Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of crest@rlwinm.de designates 2a01:4f8:171:f902::5 as permitted sender) smtp.mailfrom=crest@rlwinm.de Received: from [IPV6:2001:9e8:954:3f00:242a:3320:3607:8c07] (unknown [IPv6:2001:9e8:954:3f00:242a:3320:3607:8c07]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by mail.rlwinm.de (Postfix) with ESMTPSA id D0A6B27083 for ; Mon, 19 Aug 2024 12:47:31 +0000 (UTC) Message-ID: Date: Mon, 19 Aug 2024 14:47:30 +0200 List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@FreeBSD.org MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: a zfs thank you :) To: freebsd-current@freebsd.org References: Content-Language: en-US From: Jan Bramkamp In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spamd-Bar: --- X-Spamd-Result: default: False [-3.29 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-1.000]; R_SPF_ALLOW(-0.20)[+mx]; MIME_GOOD(-0.10)[text/plain]; XM_UA_NO_VERSION(0.01)[]; RCVD_TLS_ALL(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; ASN(0.00)[asn:24940, ipnet:2a01:4f8::/32, country:DE]; RCPT_COUNT_ONE(0.00)[1]; MIME_TRACE(0.00)[0:+]; RCVD_COUNT_ONE(0.00)[1]; MID_RHS_MATCH_FROM(0.00)[]; MLMMJ_DEST(0.00)[freebsd-current@freebsd.org]; DMARC_NA(0.00)[rlwinm.de]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; R_DKIM_NA(0.00)[]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-current@freebsd.org]; TO_MATCH_ENVRCPT_ALL(0.00)[]; ARC_NA(0.00)[] X-Rspamd-Queue-Id: 4WnXSC6Gqvz4fsX On 31.07.24 17:02, void wrote: > Hi, > > I was pleasantly surprised when I installed a new [1] zfs-on-root > -current > to rpi4 that when adduser was invoked, I was given the option to > encrypt the homedir. This is a great feature for my context [2]. > > It doesn't automount on boot but I think this is more of a feature > rather than a bug. One can have a different password to the GELI one used > to boot up the whole system. > > I have not tested yet whether one can have the user, once logged in, > mount > their homedir with doas(1). Right now, I mount the homedir like so: > > zfs load-key -a (prompts for password) > zfs mount -a > > as root. > > I could I guess make a doas line for the user for zfs load-key -r > zfsfile/system. > Can anyone suggest any better ideas please? There is the pam_zfs_key.so PAM session module that should do exactly what you're looking for if your users login with a password. It should similar to the pam_ssh.so module if you're already familiar with that one. Unless users provide the password there isn't much file system or disk encryption can do for you against hardware theft since the Raspberry Pi doesn't have any secure key storage nor would the kernel be able to know when it has been stolen and stop auto-loading the keys.