Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 26 Oct 2020 15:12:16 -0700
From:      John-Mark Gurney <jmg@funkthat.com>
To:        Eric McCorkle <eric@metricspace.net>
Cc:        FreeBSD Hackers <freebsd-hackers@freebsd.org>
Subject:   Re: Mounting encrypted ZFS datasets/GELI for users?
Message-ID:  <20201026221215.GB31099@funkthat.com>
In-Reply-To: <8d467e98-237f-c6a2-72de-94c0195ec964@metricspace.net>
References:  <8d467e98-237f-c6a2-72de-94c0195ec964@metricspace.net>

next in thread | previous in thread | raw e-mail | index | archive | help

--YZ5djTAD1cGYuMQK
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Eric McCorkle wrote this message on Mon, Oct 05, 2020 at 09:45 -0400:
> I'm presently looking into options presented by ZFS encryption.  One
> idea I had was something like this (I'm going to go with ZFS for now,
> but you could presumably do something like this with GELI, with more
> effort).

I'd still recommend using GELI.  Even w/ ZFS's native encryption, the
metadata for ZFS remains unencrypted, and able to be munged.  If you
geli w/ ZFS and a strong checksum, like sha512/256, I believe that this
is the equiavlent to authenticated encryption, ala geli's authenticated
mode, but with significantly less overhead...

> You could have your users' home directories on separate ZFS datasets,
> with a separate encryption key generated from their passphrase (you
> could also generalize this to a session key generated from some other
> form of authentication).  When a user logs in, their authentication
> materials are used to recover the ZFS key, which is then used to mount
> the home directory.  When they log out, their home directory is unmounted.

This has already been implemented in PEFS:
https://pefs.io/

and there's already a port for it:
https://www.freshports.org/sysutils/pefs-kmod/

--=20
  John-Mark Gurney				Voice: +1 415 225 5579

     "All that I will do, has been done, All that I have, has not."

--YZ5djTAD1cGYuMQK
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQJ8BAEBCgBmBQJfl0m/XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MEI1RTRGMTNDNzYyMDZDNjEyMDBCNjAy
MDVGMEIzM0REMDA2QURBAAoJECBfCzPdAGraK0cP/R2H6mClfvVcaudD6LwDbHGF
DjlDFsggf6prvLGa2vMEHsZjtknLP6aNzuf1FJNzPis71ZAhVW2bk6Bfex2s77YE
fU2aGPjp8SRK/2bBx5WMJO1wdH9vGmfhG9bftfpnwxn4NYtZXw6p94SW3tMtrtgY
ZuL4badw3DJOXKYRvomYJFWpDh8nUK7weRA8NG70n8HNcMOHk9osmI9UpSWKLFT/
jJTlMnBi5g9ikOKLfyykfWoU6sHk4pc4vJut32kRTel+jk7wzlLP9D9hffEjVBQj
yHpQPsg0vWU6at0O1qJzH3eXsen/GkB6HzlkdEi1pBWjRcnKj3+KIy+brEtYSK2m
W7CJQY10ikXQpmqOV7P6qT/qbOxq2cVJOLmpcaDND3dKBITreYDMCae7KJajThdV
HUjcmIwxnpzpS3HNcph3wnCzolqWmdKuWGRPgx5b0wLi4EoYCItTdgc0+CTmhcvG
H63jXqF9XKoL64+fjR9JDDBL0gtD+YOKwSowQjGvu5ODNmS+IfuWzk8K7UJFuOo4
sd5TgyrM7aMpesfXF9rS+mkHOcUK6PBePEgZdVAH122CFRMJ0dag4jC/5IXXmfRw
d3copkTX+vPlsFHrtXu5Ds0k9qImjVMlUWGLibKPI/5I7oWXN6Y2ghKEBj+sapbe
IAJ5HF+/7gcUxQkiy6RW
=mwN6
-----END PGP SIGNATURE-----

--YZ5djTAD1cGYuMQK--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20201026221215.GB31099>