From owner-freebsd-hackers@freebsd.org Mon Oct 5 13:46:07 2020 Return-Path: Delivered-To: freebsd-hackers@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id CA47E42528C for ; Mon, 5 Oct 2020 13:46:07 +0000 (UTC) (envelope-from eric@metricspace.net) Received: from mail.metricspace.net (mail.metricspace.net [IPv6:2001:470:1f11:617::107]) by mx1.freebsd.org (Postfix) with ESMTP id 4C4hhG5Zfnz3fgc for ; Mon, 5 Oct 2020 13:46:06 +0000 (UTC) (envelope-from eric@metricspace.net) Received: from [IPv6:2001:470:1f11:617:3210:b3ff:fe77:becd] (unknown [IPv6:2001:470:1f11:617:3210:b3ff:fe77:becd]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: eric) by mail.metricspace.net (Postfix) with ESMTPSA id 0B36B1526C for ; Mon, 5 Oct 2020 13:45:59 +0000 (UTC) To: FreeBSD Hackers From: Eric McCorkle Subject: Mounting encrypted ZFS datasets/GELI for users? Autocrypt: addr=eric@metricspace.net; prefer-encrypt=mutual; keydata= mDMEXonLJBYJKwYBBAHaRw8BAQdA4oHU11A8qtqD0EtRofyORHbGX1ZIT/mnk9eceKQx56q0 JEVyaWMgTWNDb3JrbGUgPGVyaWNAbWV0cmljc3BhY2UubmV0PoiZBBMWCABBAhsDBQsJCAcC BhUKCQgLAgQWAgMBAh4BAheAAhkBFiEEPfuJobsx0Me4pIwLPOOjZtwQVqwFAl6J2DIFCQHh QI4ACgkQPOOjZtwQVqzGAAEAu2D57t8P5L7aE1zQKLrJ4B56ki67sR+N/W1mvKnw26oBANEp vVLbA7zr9q7i9wT/xrAUEnc4jylTEKM4sm60q8gBuDgEXonLJBIKKwYBBAGXVQEFAQEHQCxw rRXlvDoXgDGv2WMrLy9UaJ4fNWXIdlaiiKZIH7lBAwEIB4h+BBgWCAAmAhsMFiEEPfuJobsx 0Me4pIwLPOOjZtwQVqwFAl6J2DoFCQHhQJYACgkQPOOjZtwQVqy4UwEAruwUbIQEmOGkyGmA 8Q7A/LGqCYE7vBzF1OnpcOuV1vYBANIVrBc7ikG6UelcNkUD1o3QCsp9y5U0/KS6Uc1LQ40E Message-ID: <8d467e98-237f-c6a2-72de-94c0195ec964@metricspace.net> Date: Mon, 5 Oct 2020 09:45:50 -0400 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:68.0) Gecko/20100101 Thunderbird/68.12.0 MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="35Gdt79eq6Hqh2dnT95Ua3Au9svH7ytU8" X-Rspamd-Queue-Id: 4C4hhG5Zfnz3fgc X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of eric@metricspace.net has no SPF policy when checking 2001:470:1f11:617::107) smtp.mailfrom=eric@metricspace.net X-Spamd-Result: default: False [-0.41 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; HAS_ATTACHMENT(0.00)[]; TO_DN_ALL(0.00)[]; SIGNED_PGP(-2.00)[]; RCVD_NO_TLS_LAST(0.10)[]; FROM_EQ_ENVFROM(0.00)[]; SUBJECT_ENDS_QUESTION(1.00)[]; R_DKIM_NA(0.00)[]; ASN(0.00)[asn:6939, ipnet:2001:470::/32, country:US]; MIME_TRACE(0.00)[0:+,1:+,2:+,3:~]; MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[]; FREEFALL_USER(0.00)[eric]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-0.72)[-0.719]; MIME_GOOD(-0.20)[multipart/signed,multipart/mixed,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-hackers@freebsd.org]; AUTH_NA(1.00)[]; NEURAL_SPAM_MEDIUM(0.14)[0.135]; RCPT_COUNT_ONE(0.00)[1]; DMARC_NA(0.00)[metricspace.net]; NEURAL_SPAM_SHORT(0.28)[0.277]; R_SPF_NA(0.00)[no SPF record]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-hackers] X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Oct 2020 13:46:07 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --35Gdt79eq6Hqh2dnT95Ua3Au9svH7ytU8 Content-Type: multipart/mixed; boundary="9WiufMcVwIxejB76iEFHgZ8bbKp9O4ipW" --9WiufMcVwIxejB76iEFHgZ8bbKp9O4ipW Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable I'm presently looking into options presented by ZFS encryption. One idea I had was something like this (I'm going to go with ZFS for now, but you could presumably do something like this with GELI, with more effort). You could have your users' home directories on separate ZFS datasets, with a separate encryption key generated from their passphrase (you could also generalize this to a session key generated from some other form of authentication). When a user logs in, their authentication materials are used to recover the ZFS key, which is then used to mount the home directory. When they log out, their home directory is unmounted= =2E The tricky part seems to be that you need their authentication materials. I think you could maybe accomplish something like this with a custom PAM module that would load the key when the user logs in. I'm less sure how to unload the key when they log out, though. If you could manage that, then I think standard automounter stuff should be able to handle mounting and unmounting the actual filesystem as needed. Does anyone know of a better way to go about doing this? --9WiufMcVwIxejB76iEFHgZ8bbKp9O4ipW-- --35Gdt79eq6Hqh2dnT95Ua3Au9svH7ytU8 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEARYIAB0WIQQ9+4mhuzHQx7ikjAs846Nm3BBWrAUCX3sjjgAKCRA846Nm3BBW rHywAQCxd2aP9HT2dcFaXW1eHZBPdUc/0cfaJVQyqshMD08MqgD+LJAI4J9O3vaf HYvs2cuu7WOIm67RqBIXj/eZRc++EQk= =723r -----END PGP SIGNATURE----- --35Gdt79eq6Hqh2dnT95Ua3Au9svH7ytU8--