Hi,
I was pleasantly surprised when I installed a new [1] zfs-on-root -current
to rpi4 that when adduser was invoked, I was given the option to encrypt
the homedir. This is a great feature for my context [2].
It doesn't automount on boot but I think this is more of a feature
rather than a bug. One can have a different password to the GELI one used
to boot up the whole system.
I have not tested yet whether one can have the user, once logged in, mount
their homedir with doas(1). Right now, I mount the homedir like so:
zfs load-key -a (prompts for password)
zfs mount -a
as root.
I could I guess make a doas line for the user for zfs load-key -r
zfsfile/system.
Can anyone suggest any better ideas please?
[1] n271321-9ae91f59c500
[2] machine and disk are not in a "secure" area. My concern is for data-at-rest.
homedirs will have things like cached passwords user creds etc and it's to
prevent
someone just walking off with the disk and grabbing user creds for example.
--
