X

News, tips, partners, and perspectives for the Oracle Solaris operating system

User home directory encryption with ZFS

Darren Moffat
Senior Software Architect

ZFS encryption has a very flexible key management capability, including the option to delegate key management to individual users.  We can use this together with a PAM module I wrote to provide per user encrypted home directories.  My laptop and workstation at Oracle are configured like this:

First lest setup console login for encrypted home directories:

    root@ltz:~# cat >> /etc/pam.conf<<_EOM
login auth required pam_zfs_key.so.1 create
other password required pam_zfs_key.so.1
_EOM

The first line ensures that when we login on the console bob's home directory is created with as an encrypted ZFS file system if it doesn't already exist, the second one ensures that the passphrase for it stays in sync with his login password.

Now lets create a new user 'bob' who looks after his own encryption key for is home directory, note that we do not specify '-m' to useradd so that pam_zfs_key will create the home directory when the user logs in.

root@ltz:~# useradd bob
root@ltz:~# passwd bob
New Password:
Re-enter new Password:
passwd: password successfully changed for bob
root@ltz:~# passwd -f bob
passwd: password information changed for bob

We have now created the user bob with an expired password. Lets login as bob and see what happens:

    ltz console login: bob
Password:
Choose a new password.
New Password:
Re-enter new Password:
login: password successfully changed for bob
Creating home directory with encryption=on.
Your login password will be used as the wrapping key.
Last login: Tue Oct 18 12:55:59 on console
Oracle Corporation SunOS 5.11 11.0 November 2011
-bash-4.1$ /usr/sbin/zfs get encryption,keysource rpool/export/home/bob
NAME PROPERTY VALUE SOURCE
rpool/export/home/bob encryption on local
rpool/export/home/bob keysource passphrase,prompt local

Note that bob had to first change the expired password. After we provided a new login password a new ZFS file system for bob's home directory was created. The new login password that bob chose is also the passphrase for this ZFS encrypted home directory. This means that at no time did the administrator ever know the passphrase for bob's home directory. After the machine reboots bob's home directory won't be mounted anymore until bob logs in again.  If we want bob's home directory to be unmounted and the key removed from the kernel when bob logs out (even if the system isn't rebooting) then we can add the 'force' option to the pam_zfs_key.so.1 module line in /etc/pam.conf

If users login with GDM or ssh then there is a little more configuration needed in /etc/pam.conf to enable pam_zfs_key for those services as well.

 
root@ltz:~# cat >> /etc/pam.conf<<_EOM
gdm auth requisite pam_authtok_get.so.1
gdm auth required pam_unix_cred.so.1
gdm auth required pam_unix_auth.so.1
gdm auth required pam_zfs_key.so.1 create
gdm auth required pam_unix_auth.so.1
_EOM
root@ltz:~# cat >> /etc/pam.conf<<_EOM
sshd-kbdint auth requisite pam_authtok_get.so.1
sshd-kbdint auth required pam_unix_cred.so.1
sshd-kbdint auth required pam_unix_auth.so.1
sshd-kbdint auth required pam_zfs_key.so.1 create
sshd-kbdint auth required pam_unix_auth.so.1
_EOM
Note that this only works when we are logging in to SSH with a password. Not if we are doing pubkey authentication because the encryption passphrase for the home directory hasn't been supplied. However pubkey and gssapi will work for later authentications after the home directory is mounted up since the ZFS passphrase is supplied during that first ssh or gdm login.

Join the discussion

Comments ( 7 )
  • Jeremy Pick Friday, November 11, 2011

    Is there any way of creating a new encrypted home directory for an existing user?


  • Darren Moffat Monday, November 14, 2011

    Jeremy, you can't migrate an existing ZFS filesystem that has encryption=off to one that has encryption=on. However you can create a new one for them and then manually migrate data over to it (say using rsync). To do that you would just change the existing ZFS filesystem for the home directory to be named differently. Then pam_zfs_key will notice that rpool/export/home/user doesn't exist and will create a new one. I suspect this isn't quite what you want though but it might be part of the solution. Remember also that if you are using the same pool even if you delete the old home directory you will have unencrypted data on disk for that old home directory still.


  • Carlos Almeida, Monday, November 28, 2011

    Great stuff!, this will work if my home is on another pool?

    Regards,

    CA


  • Darren Moffat Monday, November 28, 2011

    Carlos, yes it does you will need to set the pam_zfs_key homes= option in /etc/pam.conf see example 2 in the pam_zfs_key man page:


  • Carlos Almeida, Monday, November 28, 2011

    again, great, great stuff, many thanks for your reply

    Regards,

    CA,


  • Patrick aka Jolly Monday, February 13, 2012

    I do like encrypted home directories , but user has no longer a way to create crontab entries that refer to his home directory after reboot. Or ssh-ing into the machine with keys stored in ~/.ssh/authorized_keys2.

    Well, it's solvable , but some things just break when you enhance security ;-)

    Jolly aka Patrick


  • guest Friday, March 23, 2012

    Hi Darren,

    I use (successfully) this method for home directories inside a Zone, for which we are doing Flying Zone. But because of the interactive nature when doing a mount after the import on the other host, we can't automate the ZFS pool import anymore (at least, I don't find how to do so yet). I try not to automatically mount the datasets, but this force us to manually mount those datasets that are necessary (such as the zonepath, etc.). Not very effective.

    So, is there a method to instruct ZFS not to ask us for a passphrase or something else in such case(s)? Thank you.

    --

    Best regards,

    Julien Gabel.


Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.