Date: Mon, 05 Oct 2020 19:58:53 +0200 From: Steffen Nurpmeso <steffen@sdaoden.eu> To: Eric McCorkle <eric@metricspace.net> Cc: Alan Somers <asomers@freebsd.org>, FreeBSD Hackers <freebsd-hackers@freebsd.org> Subject: Re: Mounting encrypted ZFS datasets/GELI for users? Message-ID: <20201005175853.4OgAF%steffen@sdaoden.eu> In-Reply-To: <00dbfac0-6c6f-355e-c21b-db2cae3a87e4@metricspace.net> References: <8d467e98-237f-c6a2-72de-94c0195ec964@metricspace.net> <CAOtMX2hbt-2MBryLUJLU9CLgvZO29vNzMwtSrR1YXvknHFaGjA@mail.gmail.com> <630f9133-4f67-92bd-41f9-fb04d985c159@metricspace.net> <CAOtMX2jk9YzmKSQGaTAmwBgKK4AVW0%2B%2BbtJR6kxM%2Ba=NYjjjqg@mail.gmail.com> <00dbfac0-6c6f-355e-c21b-db2cae3a87e4@metricspace.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Eric McCorkle wrote in <00dbfac0-6c6f-355e-c21b-db2cae3a87e4@metricspace.net>: |On 10/5/20 11:50 AM, Alan Somers wrote: |> On Mon, Oct 5, 2020 at 9:40 AM Eric McCorkle <eric@metricspace.net |> <mailto:eric@metricspace.net>> wrote: |>=20 |> On 10/5/20 11:12 AM, Alan Somers wrote: |>=20 |>> First of all, what kind of thread are you concerned with?=C2=A0 Disk |>> encryption does not protect against an attacker with access to a live |>> machine; it only protects against an attacker with access to an off |>> machine, or to the bare HDDs.=C2=A0 Per-user encryption would presumab= ly |>> protect one user from another user who has physical access to the off |>> server.=C2=A0 Is that what you're worried about?=C2=A0 If not, then you |> shouldn't |>> bother with per-user encryption.=C2=A0 Just encrypt all of /home or al= l of |>> the pool with a single key. |>> |>> -Alan |>=20 |> I am evaluating options for domains where use of per-user encryptio= n \ |> is |> mandated, often as a means of protecting against insider threats. |>=20 |>=20 |> But if the victim user and the aggressor user are logged in at the same |> time, then both users' home directories will be decrypted, and unix |> permissions will be the only thing protecting the victim, right?=C2=A0 = That |> situation doesn't sound any better than no encryption at all.=C2=A0 And |> insiders who have offline access to the HDDs would be thwarted by global |> encryption just as much as per-user encryption.=C2=A0 I'm not denying t= hat |> you may be under some legal mandate for per-user encryption; I just |> don't understand the motivation. | |Per-user encryption is not perfect, but that's not the goal of |requirements like this. First of all, this can be used to protect |secure workstations, where it's reasonable to expect only one person to |be logged in at a time. | |Beyond that, the goal is to shrink the window of possible attacks and to |aid detection. If the Adversary has to be active while a particular |user is logged in, then they have a much smaller window of attack. |Moreover, this helps with forensics, as you can look at what else was |going on in the system in the much shorter window while a compromised |user was active. That project is very cool. I also want to thank for importing ZFS with encryption, i am not using it yet, but am looking forward to it. One important aspect of such (additional, on top of block encrypted disks) per-user-home encryption is that you can simply backup the entire directory without additional protection, if you have access to the unmounted content. I personally use several different encrypted directories, not the /home/steffen as such but sec.arena and sic therein, which get only mounted as necessary, and automatically unmounted (for all users) when the LID is closed. --steffen | |Der Kragenbaer, The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20201005175853.4OgAF%steffen>