User home directory encryption with ZFS

ZFS encryption has a very flexible key management capability, including the option to delegate key management to individual users.  We can use this together with a PAM module I wrote to provide per user encrypted home directories.  My laptop and workstation at Oracle are configured like this:

First lest setup console login for encrypted home directories:

    root@ltz:~# cat >> /etc/pam.conf<<_EOM
    login auth     required pam_zfs_key.so.1 create
    other password required pam_zfs_key.so.1
    _EOM

The first line ensures that when we login on the console bob's home directory is created with as an encrypted ZFS file system if it doesn't already exist, the second one ensures that the passphrase for it stays in sync with his login password.

Now lets create a new user 'bob' who looks after his own encryption key for is home directory, note that we do not specify '-m' to useradd so that pam_zfs_key will create the home directory when the user logs in.

root@ltz:~# useradd bob
root@ltz:~# passwd bob
New Password: 
Re-enter new Password: 
passwd: password successfully changed for bob
root@ltz:~# passwd -f bob
passwd: password information changed for bob

We have now created the user bob with an expired password. Lets login as bob and see what happens:

    ltz console login: bob
    Password: 
    Choose a new password.
    New Password: 
    Re-enter new Password: 
    login: password successfully changed for bob
    Creating home directory with encryption=on.
    Your login password will be used as the wrapping key.
    Last login: Tue Oct 18 12:55:59 on console
    Oracle Corporation      SunOS 5.11      11.0    November 2011
    -bash-4.1$ /usr/sbin/zfs get encryption,keysource rpool/export/home/bob
    NAME                   PROPERTY    VALUE              SOURCE
    rpool/export/home/bob  encryption  on                 local
    rpool/export/home/bob  keysource   passphrase,prompt  local

Note that bob had to first change the expired password. After we provided a new login password a new ZFS file system for bob's home directory was created. The new login password that bob chose is also the passphrase for this ZFS encrypted home directory. This means that at no time did the administrator ever know the passphrase for bob's home directory. After the machine reboots bob's home directory won't be mounted anymore until bob logs in again.  If we want bob's home directory to be unmounted and the key removed from the kernel when bob logs out (even if the system isn't rebooting) then we can add the 'force' option to the pam_zfs_key.so.1 module line in /etc/pam.conf

If users login with GDM or ssh then there is a little more configuration needed in /etc/pam.conf to enable pam_zfs_key for those services as well.

 
root@ltz:~# cat >> /etc/pam.conf<<_EOM
gdm     auth requisite          pam_authtok_get.so.1
gdm     auth required           pam_unix_cred.so.1
gdm     auth required           pam_unix_auth.so.1
gdm     auth required           pam_zfs_key.so.1 create
gdm     auth required           pam_unix_auth.so.1
_EOM

root@ltz:~# cat >> /etc/pam.conf<<_EOM
sshd-kbdint     auth requisite          pam_authtok_get.so.1
sshd-kbdint     auth required           pam_unix_cred.so.1
sshd-kbdint     auth required           pam_unix_auth.so.1
sshd-kbdint     auth required           pam_zfs_key.so.1 create
sshd-kbdint     auth required           pam_unix_auth.so.1
_EOM

Note that this only works when we are logging in to SSH with a password. Not if we are doing pubkey authentication because the encryption passphrase for the home directory hasn't been supplied. However pubkey and gssapi will work for later authentications after the home directory is mounted up since the ZFS passphrase is supplied during that first ssh or gdm login.
Comments:

Is there any way of creating a new encrypted home directory for an existing user?

Posted by Jeremy Pick on November 11, 2011 at 05:06 PM GMT #

Jeremy, you can't migrate an existing ZFS filesystem that has encryption=off to one that has encryption=on. However you can create a new one for them and then manually migrate data over to it (say using rsync). To do that you would just change the existing ZFS filesystem for the home directory to be named differently. Then pam_zfs_key will notice that rpool/export/home/user doesn't exist and will create a new one. I suspect this isn't quite what you want though but it might be part of the solution. Remember also that if you are using the same pool even if you delete the old home directory you will have unencrypted data on disk for that old home directory still.

Posted by Darren Moffat on November 14, 2011 at 06:21 AM GMT #

Great stuff!, this will work if my home is on another pool?

Regards,
CA

Posted by Carlos Almeida, on November 28, 2011 at 07:25 AM GMT #

Carlos, yes it does you will need to set the pam_zfs_key homes= option in /etc/pam.conf see example 2 in the pam_zfs_key man page:

Posted by Darren Moffat on November 28, 2011 at 09:08 AM GMT #

again, great, great stuff, many thanks for your reply

Regards,
CA,

Posted by Carlos Almeida, on November 28, 2011 at 09:21 AM GMT #

I do like encrypted home directories , but user has no longer a way to create crontab entries that refer to his home directory after reboot. Or ssh-ing into the machine with keys stored in ~/.ssh/authorized_keys2.

Well, it's solvable , but some things just break when you enhance security ;-)

Jolly aka Patrick

Posted by Patrick aka Jolly on February 13, 2012 at 09:27 AM GMT #

Hi Darren,

I use (successfully) this method for home directories inside a Zone, for which we are doing Flying Zone. But because of the interactive nature when doing a mount after the import on the other host, we can't automate the ZFS pool import anymore (at least, I don't find how to do so yet). I try not to automatically mount the datasets, but this force us to manually mount those datasets that are necessary (such as the zonepath, etc.). Not very effective.

So, is there a method to instruct ZFS not to ask us for a passphrase or something else in such case(s)? Thank you.

--
Best regards,
Julien Gabel.

Posted by guest on March 23, 2012 at 11:06 AM GMT #

Post a Comment:
  • HTML Syntax: NOT allowed
About

DarrenMoffat

Search

Categories
Archives
« April 2014
MonTueWedThuFriSatSun
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
17
18
19
20
21
22
23
24
25
26
27
28
29
30
    
       
Today