Mounting encrypted ZFS datasets/GELI for users?
John-Mark Gurney
jmg at funkthat.com
Mon Oct 26 22:12:19 UTC 2020
Eric McCorkle wrote this message on Mon, Oct 05, 2020 at 09:45 -0400:
> I'm presently looking into options presented by ZFS encryption. One
> idea I had was something like this (I'm going to go with ZFS for now,
> but you could presumably do something like this with GELI, with more
> effort).
I'd still recommend using GELI. Even w/ ZFS's native encryption, the
metadata for ZFS remains unencrypted, and able to be munged. If you
geli w/ ZFS and a strong checksum, like sha512/256, I believe that this
is the equiavlent to authenticated encryption, ala geli's authenticated
mode, but with significantly less overhead...
> You could have your users' home directories on separate ZFS datasets,
> with a separate encryption key generated from their passphrase (you
> could also generalize this to a session key generated from some other
> form of authentication). When a user logs in, their authentication
> materials are used to recover the ZFS key, which is then used to mount
> the home directory. When they log out, their home directory is unmounted.
This has already been implemented in PEFS:
https://pefs.io/
and there's already a port for it:
https://www.freshports.org/sysutils/pefs-kmod/
--
John-Mark Gurney Voice: +1 415 225 5579
"All that I will do, has been done, All that I have, has not."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20201026/e7cf2073/attachment.sig>
More information about the freebsd-hackers
mailing list