Reading this reminded me that the feature I'm really waiting for is two-factor boot time authentication from encrpyted zfs boot...
Is this likely to be seen in the near-ish future? Regards Rob -----Original Message----- From: zfs-crypto-discuss-boun...@opensolaris.org [mailto:zfs-crypto-discuss-boun...@opensolaris.org]On Behalf Of Darren J Moffat Sent: 21 April 2011 13:32 To: Dr. David Kirkby Cc: zfs-crypto-discuss@opensolaris.org Subject: Re: How to mount encrypted file system at boot? Why no pass phraserequesed On 21/04/2011 11:05, Dr. David Kirkby wrote: > I went to a talk last night at the London Open Solaris User Group (LOSUG) by Darren Moffat - an Oracle engineer who had a major role in the ZFS encryption implementation in Solaris. I was particularly interested in this,as for a long time I've been concerned about security of data on my laptop. > > I decided to try to secure my laptop, which is running Solaris 11 Express. I want to set the machine up so that during the boot process I get asked to enter the pass phrase to mount file system with my home directory on. > > But I am having problems. > > First I create the file system. As expected, Solaris asks for a pass phrase: > > drkirkby@laptop:~# zfs create -o compression=on -o encryption=on -o > mountpoint=/export/home/davek rpool/export/home/davek > Enter passphrase for 'rpool/export/home/davek': ******* > Enter again: ****** > > Next I create a file on the file system and check it exists. > > drkirkby@laptop:~# touch /export/home/davek/foo > drkirkby@laptop:~# ls /export/home/davek/foo > /export/home/davek/foo > > Unmount the encrypted file system > > drkirkby@laptop:~# zfs umount rpool/export/home/davek > > Check the file I created is no longer available > > drkirkby@laptop:~# ls /export/home/davek/foo > /export/home/davek/foo: No such file or directory > Now I get a problem. I was expecting to have to enter the pass > phrase again when attempting to mount the file system, but this is not being > requested. As you can see, I can mount the file system without the pass > phrase and read the data on the file system. I covered that in the talk last night - in fact we had about a 5 minute discussion about why it is this way. If you want the key to go away you need to run: # zfs key -u rpool/export/home/davek > drkirkby@laptop:~# zfs mount rpool/export/home/davek > drkirkby@laptop:~# ls /export/home/davek/foo > /export/home/davek/foo > drkirkby@laptop:~# > > This looks wrong to me, but I've no idea how to solve it. No it is correct by design. As I mentioned last night the reason for this is so that delegated administration of certain properties can work for users that don't have the 'key' delegation and don't have access to the wrapping keys. For example changing a mountpoint causes an umount followed by a mount. There are other changes that under the covers can cause a filesystem to be temporarily unmounted and remounted. > The next issue is how do I get the file system to mount when the > machine is booted? I want to supply the pass phrase by typing it in, > rather than from storing it in USB stick or other similar method. Since this is your user home directory the ideal way would be a PAM module that ran during user login and requested the passphrase for the ZFS encrypted home dir. There isn't one in Solaris 11 Express (snv_151a) at this time. > Any ideas what I need to do to get this file system to request the > pass phrase before mountin g the file system? There is source for a prototype PAM module in the old opensolaris.org zfs-crypto repository: http://src.opensolaris.org/source/history/zfs-crypto/phase2/usr/src/lib/pam_ modules/ You would need to take a clone of that repository and check out changeset 6749:6dded109490e and see if that old PAM module could be hacked into submission. Note that it uses private interfaces and doing so is not supported by any Oracle support contract you have. -- Darren J Moffat _______________________________________________ zfs-crypto-discuss mailing list zfs-crypto-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/zfs-crypto-discuss _______________________________________________ zfs-crypto-discuss mailing list zfs-crypto-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/zfs-crypto-discuss
