User home directory encryption with ZFS
By Darren Moffat-Oracle on Nov 09, 2011
ZFS encryption has a very flexible key management capability, including the option to delegate key management to individual users. We can use this together with a PAM module I wrote to provide per user encrypted home directories. My laptop and workstation at Oracle are configured like this:
First lest setup console login for encrypted home directories:
root@ltz:~# cat >> /etc/pam.conf<<_EOM login auth required pam_zfs_key.so.1 create other password required pam_zfs_key.so.1 _EOM
The first line ensures that when we login on the console bob's home directory is created with as an encrypted ZFS file system if it doesn't already exist, the second one ensures that the passphrase for it stays in sync with his login password.
Now lets create a new user 'bob' who looks after his own encryption key for is home directory, note that we do not specify '-m' to useradd so that pam_zfs_key will create the home directory when the user logs in.
root@ltz:~# useradd bob root@ltz:~# passwd bob New Password: Re-enter new Password: passwd: password successfully changed for bob root@ltz:~# passwd -f bob passwd: password information changed for bob
We have now created the user bob with an expired password. Lets login as bob and see what happens:
ltz console login: bob Password: Choose a new password. New Password: Re-enter new Password: login: password successfully changed for bob Creating home directory with encryption=on. Your login password will be used as the wrapping key. Last login: Tue Oct 18 12:55:59 on console Oracle Corporation SunOS 5.11 11.0 November 2011 -bash-4.1$ /usr/sbin/zfs get encryption,keysource rpool/export/home/bob NAME PROPERTY VALUE SOURCE rpool/export/home/bob encryption on local rpool/export/home/bob keysource passphrase,prompt local
Note that bob had to first change the expired password. After we provided a new login password a new ZFS file system for bob's home directory was created. The new login password that bob chose is also the passphrase for this ZFS encrypted home directory. This means that at no time did the administrator ever know the passphrase for bob's home directory. After the machine reboots bob's home directory won't be mounted anymore until bob logs in again. If we want bob's home directory to be unmounted and the key removed from the kernel when bob logs out (even if the system isn't rebooting) then we can add the 'force' option to the pam_zfs_key.so.1 module line in /etc/pam.conf
If users login with GDM or ssh then there is a little more configuration needed in /etc/pam.conf to enable pam_zfs_key for those services as well.
Note that this only works when we are logging in to SSH with a password. Not if we are doing pubkey authentication because the encryption passphrase for the home directory hasn't been supplied. However pubkey and gssapi will work for later authentications after the home directory is mounted up since the ZFS passphrase is supplied during that first ssh or gdm login.root@ltz:~# cat >> /etc/pam.conf<<_EOM gdm auth requisite pam_authtok_get.so.1 gdm auth required pam_unix_cred.so.1 gdm auth required pam_unix_auth.so.1 gdm auth required pam_zfs_key.so.1 create gdm auth required pam_unix_auth.so.1 _EOMroot@ltz:~# cat >> /etc/pam.conf<<_EOM sshd-kbdint auth requisite pam_authtok_get.so.1 sshd-kbdint auth required pam_unix_cred.so.1 sshd-kbdint auth required pam_unix_auth.so.1 sshd-kbdint auth required pam_zfs_key.so.1 create sshd-kbdint auth required pam_unix_auth.so.1 _EOM