Date: Mon, 05 Oct 2020 19:58:53 +0200 From: Steffen Nurpmeso <steffen@sdaoden.eu> To: Eric McCorkle <eric@metricspace.net> Cc: Alan Somers <asomers@freebsd.org>, FreeBSD Hackers <freebsd-hackers@freebsd.org> Subject: Re: Mounting encrypted ZFS datasets/GELI for users? Message-ID: <20201005175853.4OgAF%steffen@sdaoden.eu> In-Reply-To: <00dbfac0-6c6f-355e-c21b-db2cae3a87e4@metricspace.net> References: <8d467e98-237f-c6a2-72de-94c0195ec964@metricspace.net> <CAOtMX2hbt-2MBryLUJLU9CLgvZO29vNzMwtSrR1YXvknHFaGjA@mail.gmail.com> <630f9133-4f67-92bd-41f9-fb04d985c159@metricspace.net> <CAOtMX2jk9YzmKSQGaTAmwBgKK4AVW0%2B%2BbtJR6kxM%2Ba=NYjjjqg@mail.gmail.com> <00dbfac0-6c6f-355e-c21b-db2cae3a87e4@metricspace.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Eric McCorkle wrote in <00dbfac0-6c6f-355e-c21b-db2cae3a87e4@metricspace.net>: |On 10/5/20 11:50 AM, Alan Somers wrote: |> On Mon, Oct 5, 2020 at 9:40 AM Eric McCorkle <eric@metricspace.net |> <mailto:eric@metricspace.net>> wrote: |> |> On 10/5/20 11:12 AM, Alan Somers wrote: |> |>> First of all, what kind of thread are you concerned with? Disk |>> encryption does not protect against an attacker with access to a live |>> machine; it only protects against an attacker with access to an off |>> machine, or to the bare HDDs. Per-user encryption would presumably |>> protect one user from another user who has physical access to the off |>> server. Is that what you're worried about? If not, then you |> shouldn't |>> bother with per-user encryption. Just encrypt all of /home or all of |>> the pool with a single key. |>> |>> -Alan |> |> I am evaluating options for domains where use of per-user encryption \ |> is |> mandated, often as a means of protecting against insider threats. |> |> |> But if the victim user and the aggressor user are logged in at the same |> time, then both users' home directories will be decrypted, and unix |> permissions will be the only thing protecting the victim, right? That |> situation doesn't sound any better than no encryption at all. And |> insiders who have offline access to the HDDs would be thwarted by global |> encryption just as much as per-user encryption. I'm not denying that |> you may be under some legal mandate for per-user encryption; I just |> don't understand the motivation. | |Per-user encryption is not perfect, but that's not the goal of |requirements like this. First of all, this can be used to protect |secure workstations, where it's reasonable to expect only one person to |be logged in at a time. | |Beyond that, the goal is to shrink the window of possible attacks and to |aid detection. If the Adversary has to be active while a particular |user is logged in, then they have a much smaller window of attack. |Moreover, this helps with forensics, as you can look at what else was |going on in the system in the much shorter window while a compromised |user was active. That project is very cool. I also want to thank for importing ZFS with encryption, i am not using it yet, but am looking forward to it. One important aspect of such (additional, on top of block encrypted disks) per-user-home encryption is that you can simply backup the entire directory without additional protection, if you have access to the unmounted content. I personally use several different encrypted directories, not the /home/steffen as such but sec.arena and sic therein, which get only mounted as necessary, and automatically unmounted (for all users) when the LID is closed. --steffen | |Der Kragenbaer, The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20201005175853.4OgAF%steffen>