Re: ZFS home encryption is misleading for new desktop users

On 07.07.25 13:16, Gleb Popov wrote:
> On Sun, Jul 6, 2025 at 2:01 PM Marc Coquand <marc@coquand.email> wrote:
>> Heya!
>>
>> When you install FreeBSD with zfs+encrypted home, the home is seemingly "encrypted", but that is only if you login as root, run zfs load-keys and mount the directory. Otherwise, your home directory is an unencrypted directory living in the zroot/home dataset. Running `zfs list` makes it seem that the directory is actually mounted, because you see:
>>
>> NAME                  USED  AVAIL  REFER  MOUNTPOINT
>> zfs/home/me        XX   XX   XX  /home/me
>>
>> However, running df uncovers that the dataset is actually never mounted! You need to first load keys and then mount the disk. I think that's confusing for a new desktop user. I actually thought my home directory was encrypted since that is what I had setup in the installer! I only discovered this because there were no snapshot directory in my $HOME, and so I had created snapshots for an encrypted dataset that was never mounted.
>>
>> It feels like an easy mistake to make, and maybe there could be a way to make it more obvious.
>>
>> Sincerely,
>> Marc
>>
>>
> Right, it seems that this feature is sort of half-baked.
>
> In the desktop lands the way forward, I think, is implementing of
> org.freedesktop.home1 DBus interface and teaching display managers to
> invoke it. For the console usage we can modify login(1) to ask for a
> passphrase and mount the dataset if needed. Maybe this functionality
> should even be sinked down to a PAM module to deduplicate the common
> code.
>
That PAM module already exists and is called pam_zfs_key. It's **just** 
not enabled :-/.