Re: ZFS home encryption is misleading for new desktop users

On Sun, Jul 6, 2025 at 2:01 PM Marc Coquand <marc@coquand.email> wrote:
>
> Heya!
>
> When you install FreeBSD with zfs+encrypted home, the home is seemingly "encrypted", but that is only if you login as root, run zfs load-keys and mount the directory. Otherwise, your home directory is an unencrypted directory living in the zroot/home dataset. Running `zfs list` makes it seem that the directory is actually mounted, because you see:
>
> NAME                  USED  AVAIL  REFER  MOUNTPOINT
> zfs/home/me        XX   XX   XX  /home/me
>
> However, running df uncovers that the dataset is actually never mounted! You need to first load keys and then mount the disk. I think that's confusing for a new desktop user. I actually thought my home directory was encrypted since that is what I had setup in the installer! I only discovered this because there were no snapshot directory in my $HOME, and so I had created snapshots for an encrypted dataset that was never mounted.
>
> It feels like an easy mistake to make, and maybe there could be a way to make it more obvious.
>
> Sincerely,
> Marc
>
>

Right, it seems that this feature is sort of half-baked.

In the desktop lands the way forward, I think, is implementing of
org.freedesktop.home1 DBus interface and teaching display managers to
invoke it. For the console usage we can modify login(1) to ask for a
passphrase and mount the dataset if needed. Maybe this functionality
should even be sinked down to a PAM module to deduplicate the common
code.