From owner-freebsd-security@FreeBSD.ORG Fri Apr 3 12:45:48 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6635521D for ; Fri, 3 Apr 2015 12:45:48 +0000 (UTC) Received: from onlyone.friendlyhosting.spb.ru (onlyone.friendlyhosting.spb.ru [IPv6:2a01:4f8:131:60a2::2]) by mx1.freebsd.org (Postfix) with ESMTP id 27E5635A for ; Fri, 3 Apr 2015 12:45:48 +0000 (UTC) Received: from [127.0.0.1] (users-nat.in.devexperts.com [89.113.128.32]) (Authenticated sender: lev@serebryakov.spb.ru) by onlyone.friendlyhosting.spb.ru (Postfix) with ESMTPSA id 0C17B56400 for ; Fri, 3 Apr 2015 15:45:31 +0300 (MSK) Message-ID: <551E8B6A.5030203@FreeBSD.org> Date: Fri, 03 Apr 2015 15:45:30 +0300 From: Lev Serebryakov Reply-To: lev@FreeBSD.org Organization: FreeBSD User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0 MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: =?UTF-8?B?RW5jcnlwdGVkIHVzZXIgaG9tZSBkaXJzIHdpdGggTkZTL1NNQi9sb2M=?= =?UTF-8?B?YWwgKHNzaCBhbmQgdHJ1ZSBsb2NhbCkgYWNjZXNzIHdpdGhvdXQgYWRkaXRpb24=?= =?UTF-8?B?YWwgcGFzc3dvcmRzIOKAlCBpcyBpdCBwb3NzaWJsZT8=?= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Apr 2015 12:45:48 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 I want to encrypt home dirs on multiuser server. Some users use it with "ssh", other users mount home dirs to Windows with samba (3.x, but I could migrate to 4.x) and never login with ssh/locally, some home dirs are mounted to other FreeBSD system via NFS. So, overlay FS with per-file encryption is not a solution, as SMB-only users could not call "mount" and enter password. full-disk encryption is not a solution too, as "root" could read all files in such case, as here is no encryption at all. Is it possible at all? - -- // Lev Serebryakov -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQJ8BAEBCgBmBQJVHotfXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRGOTZEMUNBMEI1RjQzMThCNjc0QjMzMEFF QUIwM0M1OEJGREM0NzhGAAoJEOqwPFi/3EePV9wP/0eEehQ9LlL/IyB3zFRrE5/T VzMLCKDTxTj7yHWf0dr0ljrE1MMYHXCFKP/G71JZcOpqwF3lnl4P4Xl8hcqomVs5 UKlWDNwJyj8B+FviSJ8bJ8bY6CDB0NaVDIiMg4JQu+Biaap/ha7mq6XkDYCXNiS8 MqQnhRQz1rDGnTYeDDlN1LNKi6oWpi3c0Bdl9CWQQFWJd/duL2ezJZMvU1dtQZ7S 27JNYa0QqvmWurxi0wjOpR65armEMiA5a9sgGqe6Qx2qXOCni9N2S8gcmp51SwxT clL75lfJQpMUvTUaDCETmznxvrRmRlEFhjhd7ZF7WNuU94bvg8pXzsuk3sndOW7q thTxKMnFhIqIHAaghmj7NHabyLCgtJcYB2b8JboWTeoQjQBuq3Cq1/ncfjvlbwwL PAEIrgrY23OV8okwD+MiMWDjtVc4ozyX9lHKU2B+zf1f8vKyjLnJ+qnSL4XZjmNw 80OzkyTu90sAAHRceWgZ5ICs2uPooS7fQsiaZ696hr5QsImGTTC3kyTLhqS/vDhz plISUy8QnKUI8uI7w0UDnN5DSgWbXiJj6BzwJFmvryO0drjrNqBu4uaeP6aQEsZR ar6TyDtMFaBc3HB0+qf5+N+jGlFW6pjmg7p4WGyRyuvqp/rDneKWtVM9Lo0Pzy94 +AML8GtBVXMF5tinVDW6 =b6oL -----END PGP SIGNATURE-----