Date: Mon, 26 Oct 2020 15:12:16 -0700 From: John-Mark Gurney <jmg@funkthat.com> To: Eric McCorkle <eric@metricspace.net> Cc: FreeBSD Hackers <freebsd-hackers@freebsd.org> Subject: Re: Mounting encrypted ZFS datasets/GELI for users? Message-ID: <20201026221215.GB31099@funkthat.com> In-Reply-To: <8d467e98-237f-c6a2-72de-94c0195ec964@metricspace.net> References: <8d467e98-237f-c6a2-72de-94c0195ec964@metricspace.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--YZ5djTAD1cGYuMQK Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Eric McCorkle wrote this message on Mon, Oct 05, 2020 at 09:45 -0400: > I'm presently looking into options presented by ZFS encryption. One > idea I had was something like this (I'm going to go with ZFS for now, > but you could presumably do something like this with GELI, with more > effort). I'd still recommend using GELI. Even w/ ZFS's native encryption, the metadata for ZFS remains unencrypted, and able to be munged. If you geli w/ ZFS and a strong checksum, like sha512/256, I believe that this is the equiavlent to authenticated encryption, ala geli's authenticated mode, but with significantly less overhead... > You could have your users' home directories on separate ZFS datasets, > with a separate encryption key generated from their passphrase (you > could also generalize this to a session key generated from some other > form of authentication). When a user logs in, their authentication > materials are used to recover the ZFS key, which is then used to mount > the home directory. When they log out, their home directory is unmounted. This has already been implemented in PEFS: https://pefs.io/ and there's already a port for it: https://www.freshports.org/sysutils/pefs-kmod/ --=20 John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not." --YZ5djTAD1cGYuMQK Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQJ8BAEBCgBmBQJfl0m/XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MEI1RTRGMTNDNzYyMDZDNjEyMDBCNjAy MDVGMEIzM0REMDA2QURBAAoJECBfCzPdAGraK0cP/R2H6mClfvVcaudD6LwDbHGF DjlDFsggf6prvLGa2vMEHsZjtknLP6aNzuf1FJNzPis71ZAhVW2bk6Bfex2s77YE fU2aGPjp8SRK/2bBx5WMJO1wdH9vGmfhG9bftfpnwxn4NYtZXw6p94SW3tMtrtgY ZuL4badw3DJOXKYRvomYJFWpDh8nUK7weRA8NG70n8HNcMOHk9osmI9UpSWKLFT/ jJTlMnBi5g9ikOKLfyykfWoU6sHk4pc4vJut32kRTel+jk7wzlLP9D9hffEjVBQj yHpQPsg0vWU6at0O1qJzH3eXsen/GkB6HzlkdEi1pBWjRcnKj3+KIy+brEtYSK2m W7CJQY10ikXQpmqOV7P6qT/qbOxq2cVJOLmpcaDND3dKBITreYDMCae7KJajThdV HUjcmIwxnpzpS3HNcph3wnCzolqWmdKuWGRPgx5b0wLi4EoYCItTdgc0+CTmhcvG H63jXqF9XKoL64+fjR9JDDBL0gtD+YOKwSowQjGvu5ODNmS+IfuWzk8K7UJFuOo4 sd5TgyrM7aMpesfXF9rS+mkHOcUK6PBePEgZdVAH122CFRMJ0dag4jC/5IXXmfRw d3copkTX+vPlsFHrtXu5Ds0k9qImjVMlUWGLibKPI/5I7oWXN6Y2ghKEBj+sapbe IAJ5HF+/7gcUxQkiy6RW =mwN6 -----END PGP SIGNATURE----- --YZ5djTAD1cGYuMQK--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20201026221215.GB31099>