Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 5 Oct 2020 12:26:28 -0400
From:      Eric McCorkle <eric@metricspace.net>
To:        Alan Somers <asomers@freebsd.org>
Cc:        FreeBSD Hackers <freebsd-hackers@freebsd.org>
Subject:   Re: Mounting encrypted ZFS datasets/GELI for users?
Message-ID:  <00dbfac0-6c6f-355e-c21b-db2cae3a87e4@metricspace.net>
In-Reply-To: <CAOtMX2jk9YzmKSQGaTAmwBgKK4AVW0%2B%2BbtJR6kxM%2Ba=NYjjjqg@mail.gmail.com>
References:  <8d467e98-237f-c6a2-72de-94c0195ec964@metricspace.net> <CAOtMX2hbt-2MBryLUJLU9CLgvZO29vNzMwtSrR1YXvknHFaGjA@mail.gmail.com> <630f9133-4f67-92bd-41f9-fb04d985c159@metricspace.net> <CAOtMX2jk9YzmKSQGaTAmwBgKK4AVW0%2B%2BbtJR6kxM%2Ba=NYjjjqg@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--3WPmuCuBaTKtYJgimOcHbPa0zRuAWsyQe
Content-Type: multipart/mixed; boundary="dbmgz7SRfcYFoRZKjzIuJ3iIYQhMt56ra"

--dbmgz7SRfcYFoRZKjzIuJ3iIYQhMt56ra
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable

On 10/5/20 11:50 AM, Alan Somers wrote:
> On Mon, Oct 5, 2020 at 9:40 AM Eric McCorkle <eric@metricspace.net
> <mailto:eric@metricspace.net>> wrote:
>=20
>     On 10/5/20 11:12 AM, Alan Somers wrote:
>=20
>     > First of all, what kind of thread are you concerned with?=C2=A0 D=
isk
>     > encryption does not protect against an attacker with access to a =
live
>     > machine; it only protects against an attacker with access to an o=
ff
>     > machine, or to the bare HDDs.=C2=A0 Per-user encryption would pre=
sumably
>     > protect one user from another user who has physical access to the=
 off
>     > server.=C2=A0 Is that what you're worried about?=C2=A0 If not, th=
en you
>     shouldn't
>     > bother with per-user encryption.=C2=A0 Just encrypt all of /home =
or all of
>     > the pool with a single key.
>     >
>     > -Alan
>=20
>     I am evaluating options for domains where use of per-user encryptio=
n is
>     mandated, often as a means of protecting against insider threats.
>=20
>=20
> But if the victim user and the aggressor user are logged in at the same=

> time, then both users' home directories will be decrypted, and unix
> permissions will be the only thing protecting the victim, right?=C2=A0 =
That
> situation doesn't sound any better than no encryption at all.=C2=A0 And=

> insiders who have offline access to the HDDs would be thwarted by globa=
l
> encryption just as much as per-user encryption.=C2=A0 I'm not denying t=
hat
> you may be under some legal mandate for per-user encryption; I just
> don't understand the motivation.

Per-user encryption is not perfect, but that's not the goal of
requirements like this.  First of all, this can be used to protect
secure workstations, where it's reasonable to expect only one person to
be logged in at a time.

Beyond that, the goal is to shrink the window of possible attacks and to
aid detection.  If the Adversary has to be active while a particular
user is logged in, then they have a much smaller window of attack.
Moreover, this helps with forensics, as you can look at what else was
going on in the system in the much shorter window while a compromised
user was active.


--dbmgz7SRfcYFoRZKjzIuJ3iIYQhMt56ra--

--3WPmuCuBaTKtYJgimOcHbPa0zRuAWsyQe
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQQ9+4mhuzHQx7ikjAs846Nm3BBWrAUCX3tJNAAKCRA846Nm3BBW
rAv3AP9wsXh1/Oodq8r1bP5eX7f61ZIpv8GI5o4tPKXedEgl+QD/SEjZxtUTadq6
+2p54TD75g8203A91TIL7j8k5+KiBg0=
=txeh
-----END PGP SIGNATURE-----

--3WPmuCuBaTKtYJgimOcHbPa0zRuAWsyQe--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?00dbfac0-6c6f-355e-c21b-db2cae3a87e4>