From owner-freebsd-hackers@freebsd.org Mon Oct 5 16:26:41 2020 Return-Path: Delivered-To: freebsd-hackers@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id A242C428CE2 for ; Mon, 5 Oct 2020 16:26:41 +0000 (UTC) (envelope-from eric@metricspace.net) Received: from mail.metricspace.net (mail.metricspace.net [IPv6:2001:470:1f11:617::107]) by mx1.freebsd.org (Postfix) with ESMTP id 4C4mFX4ph8z465J; Mon, 5 Oct 2020 16:26:40 +0000 (UTC) (envelope-from eric@metricspace.net) Received: from [IPv6:2001:470:1f11:617:3210:b3ff:fe77:becd] (unknown [IPv6:2001:470:1f11:617:3210:b3ff:fe77:becd]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits)) (Client did not present a certificate) (Authenticated sender: eric) by mail.metricspace.net (Postfix) with ESMTPSA id 79DEE15509; Mon, 5 Oct 2020 16:26:39 +0000 (UTC) Subject: Re: Mounting encrypted ZFS datasets/GELI for users? To: Alan Somers Cc: FreeBSD Hackers References: <8d467e98-237f-c6a2-72de-94c0195ec964@metricspace.net> <630f9133-4f67-92bd-41f9-fb04d985c159@metricspace.net> From: Eric McCorkle Autocrypt: addr=eric@metricspace.net; prefer-encrypt=mutual; keydata= mDMEXonLJBYJKwYBBAHaRw8BAQdA4oHU11A8qtqD0EtRofyORHbGX1ZIT/mnk9eceKQx56q0 JEVyaWMgTWNDb3JrbGUgPGVyaWNAbWV0cmljc3BhY2UubmV0PoiZBBMWCABBAhsDBQsJCAcC BhUKCQgLAgQWAgMBAh4BAheAAhkBFiEEPfuJobsx0Me4pIwLPOOjZtwQVqwFAl6J2DIFCQHh QI4ACgkQPOOjZtwQVqzGAAEAu2D57t8P5L7aE1zQKLrJ4B56ki67sR+N/W1mvKnw26oBANEp vVLbA7zr9q7i9wT/xrAUEnc4jylTEKM4sm60q8gBuDgEXonLJBIKKwYBBAGXVQEFAQEHQCxw rRXlvDoXgDGv2WMrLy9UaJ4fNWXIdlaiiKZIH7lBAwEIB4h+BBgWCAAmAhsMFiEEPfuJobsx 0Me4pIwLPOOjZtwQVqwFAl6J2DoFCQHhQJYACgkQPOOjZtwQVqy4UwEAruwUbIQEmOGkyGmA 8Q7A/LGqCYE7vBzF1OnpcOuV1vYBANIVrBc7ikG6UelcNkUD1o3QCsp9y5U0/KS6Uc1LQ40E Message-ID: <00dbfac0-6c6f-355e-c21b-db2cae3a87e4@metricspace.net> Date: Mon, 5 Oct 2020 12:26:28 -0400 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:68.0) Gecko/20100101 Thunderbird/68.12.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="3WPmuCuBaTKtYJgimOcHbPa0zRuAWsyQe" X-Rspamd-Queue-Id: 4C4mFX4ph8z465J X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of eric@metricspace.net has no SPF policy when checking 2001:470:1f11:617::107) smtp.mailfrom=eric@metricspace.net X-Spamd-Result: default: False [-1.30 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; FREEFALL_USER(0.00)[eric]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; HAS_ATTACHMENT(0.00)[]; MIME_GOOD(-0.20)[multipart/signed,multipart/mixed,text/plain]; DMARC_NA(0.00)[metricspace.net]; AUTH_NA(1.00)[]; NEURAL_SPAM_SHORT(0.18)[0.176]; NEURAL_HAM_LONG(-0.92)[-0.924]; NEURAL_HAM_MEDIUM(-0.46)[-0.455]; TO_DN_ALL(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; SIGNED_PGP(-2.00)[]; R_SPF_NA(0.00)[no SPF record]; RCVD_NO_TLS_LAST(0.10)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:+,3:~]; ASN(0.00)[asn:6939, ipnet:2001:470::/32, country:US]; SUBJECT_ENDS_QUESTION(1.00)[]; MAILMAN_DEST(0.00)[freebsd-hackers]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Oct 2020 16:26:41 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --3WPmuCuBaTKtYJgimOcHbPa0zRuAWsyQe Content-Type: multipart/mixed; boundary="dbmgz7SRfcYFoRZKjzIuJ3iIYQhMt56ra" --dbmgz7SRfcYFoRZKjzIuJ3iIYQhMt56ra Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 10/5/20 11:50 AM, Alan Somers wrote: > On Mon, Oct 5, 2020 at 9:40 AM Eric McCorkle > wrote: >=20 > On 10/5/20 11:12 AM, Alan Somers wrote: >=20 > > First of all, what kind of thread are you concerned with?=C2=A0 D= isk > > encryption does not protect against an attacker with access to a = live > > machine; it only protects against an attacker with access to an o= ff > > machine, or to the bare HDDs.=C2=A0 Per-user encryption would pre= sumably > > protect one user from another user who has physical access to the= off > > server.=C2=A0 Is that what you're worried about?=C2=A0 If not, th= en you > shouldn't > > bother with per-user encryption.=C2=A0 Just encrypt all of /home = or all of > > the pool with a single key. > > > > -Alan >=20 > I am evaluating options for domains where use of per-user encryptio= n is > mandated, often as a means of protecting against insider threats. >=20 >=20 > But if the victim user and the aggressor user are logged in at the same= > time, then both users' home directories will be decrypted, and unix > permissions will be the only thing protecting the victim, right?=C2=A0 = That > situation doesn't sound any better than no encryption at all.=C2=A0 And= > insiders who have offline access to the HDDs would be thwarted by globa= l > encryption just as much as per-user encryption.=C2=A0 I'm not denying t= hat > you may be under some legal mandate for per-user encryption; I just > don't understand the motivation. Per-user encryption is not perfect, but that's not the goal of requirements like this. First of all, this can be used to protect secure workstations, where it's reasonable to expect only one person to be logged in at a time. Beyond that, the goal is to shrink the window of possible attacks and to aid detection. If the Adversary has to be active while a particular user is logged in, then they have a much smaller window of attack. Moreover, this helps with forensics, as you can look at what else was going on in the system in the much shorter window while a compromised user was active. --dbmgz7SRfcYFoRZKjzIuJ3iIYQhMt56ra-- --3WPmuCuBaTKtYJgimOcHbPa0zRuAWsyQe Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEARYIAB0WIQQ9+4mhuzHQx7ikjAs846Nm3BBWrAUCX3tJNAAKCRA846Nm3BBW rAv3AP9wsXh1/Oodq8r1bP5eX7f61ZIpv8GI5o4tPKXedEgl+QD/SEjZxtUTadq6 +2p54TD75g8203A91TIL7j8k5+KiBg0= =txeh -----END PGP SIGNATURE----- --3WPmuCuBaTKtYJgimOcHbPa0zRuAWsyQe--