Date: Mon, 5 Oct 2020 09:45:50 -0400 From: Eric McCorkle <eric@metricspace.net> To: FreeBSD Hackers <freebsd-hackers@freebsd.org> Subject: Mounting encrypted ZFS datasets/GELI for users? Message-ID: <8d467e98-237f-c6a2-72de-94c0195ec964@metricspace.net>
next in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --35Gdt79eq6Hqh2dnT95Ua3Au9svH7ytU8 Content-Type: multipart/mixed; boundary="9WiufMcVwIxejB76iEFHgZ8bbKp9O4ipW" --9WiufMcVwIxejB76iEFHgZ8bbKp9O4ipW Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable I'm presently looking into options presented by ZFS encryption. One idea I had was something like this (I'm going to go with ZFS for now, but you could presumably do something like this with GELI, with more effort). You could have your users' home directories on separate ZFS datasets, with a separate encryption key generated from their passphrase (you could also generalize this to a session key generated from some other form of authentication). When a user logs in, their authentication materials are used to recover the ZFS key, which is then used to mount the home directory. When they log out, their home directory is unmounted= =2E The tricky part seems to be that you need their authentication materials. I think you could maybe accomplish something like this with a custom PAM module that would load the key when the user logs in. I'm less sure how to unload the key when they log out, though. If you could manage that, then I think standard automounter stuff should be able to handle mounting and unmounting the actual filesystem as needed. Does anyone know of a better way to go about doing this? --9WiufMcVwIxejB76iEFHgZ8bbKp9O4ipW-- --35Gdt79eq6Hqh2dnT95Ua3Au9svH7ytU8 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEARYIAB0WIQQ9+4mhuzHQx7ikjAs846Nm3BBWrAUCX3sjjgAKCRA846Nm3BBW rHywAQCxd2aP9HT2dcFaXW1eHZBPdUc/0cfaJVQyqshMD08MqgD+LJAI4J9O3vaf HYvs2cuu7WOIm67RqBIXj/eZRc++EQk= =723r -----END PGP SIGNATURE----- --35Gdt79eq6Hqh2dnT95Ua3Au9svH7ytU8--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8d467e98-237f-c6a2-72de-94c0195ec964>