X

Using Solaris and SPARC Networking and Virtualization

Encrypting my Home Directory on ZFS


Overview


I like to run Solaris on my work desktops because I have all the Solaris features at my fingertips. This included the manual pages, Solaris Zones, Solaris networking including VNICs, and I just find the Solaris GNOME desktop to the most easy for me to use for basic email, browsing, terminal windows, and the like.

Because I might be putting some information on my desktop that I'd rather not leave when the disk drive leaves, I make an effort to encrypt my home directory. Because I do this relatively infrequently, I don't remember the steps, so search for and I reference Darren Moffat's blog. Unfortunately, it was written in 2011 when Solaris 11 11/11 delivered ZFS encryption, and it seems some files have changed slightly.

To make it easier for me to reference, and to add some additional features, I did some repeated testing of modification of the PAM module and am posting the steps in this blog entry. I make no effort to explain PAM, as I am not that versed in it.

The Default Configuration


I am using one of my desktops to write this, and I will use as Solaris Zone to show what a fresh installation looks like. Darren's example shows how to enable encryption with the GNOME Display Manager (GDM.) I will extend this to work with console or ssh login. Testing the GDM configuration does require me to log out of my desktop, and is a bit more intrusive for me to test and show. Testing and documenting console and ssh logins are easy with a Zone.

root@pamzone:~# cd /etc/pam.d 
root@pamzone:/etc/pam.d#
root@pamzone:/etc/pam.d# ls
cron gdm-autologin other pfexec
cups login passwd tpdlogin
root@pamzone:/etc/pam.d#

Here are default files in a Solaris 11.3 default installation using the Live Media. I highlight the files I will be changes. In addition, I will be adding a gdm file that is not yet there.

Modifying the Configuration


Because I am a bit conservative, even though this is a Zone, I will make a best effort to be able to revert to the original configuration. Also, I can highlight differences.
root@pamzone:/etc/pam.d# beadm create initial 
root@pamzone:/etc/pam.d#
root@pamzone:/etc/pam.d# cp -p login login.orig
root@pamzone:/etc/pam.d# cp -p other other.orig
root@pamzone:/etc/pam.d#

I modify the "login" and "other" files based on the changes Darren put into the "/etc/pam.conf" file. The GDM specific entries go into "gdm".
root@pamzone:/etc/pam.d# diff login login.orig 
14,16d13
< # 2016.05.04 Added for encrypting user's home directory
< # Create a new home directory if it does not exist
< auth required pam_zfs_key.so.1 create homes=rpool/export/home

root@pamzone:/etc/pam.d#
root@pamzone:/etc/pam.d# diff other other.orig
14,16d13
< # 2016.05.04 Added for encrypting user's home directory
< # This allows new account without coming in on console
< auth required pam_zfs_key.so.1 create homes=rpool/export/home
49,51d45
< # 2016.05.04 Added for encrypting user's home directory
< # Update the ZFS encryption wrapping key when the user changes their password
< password requisite pam_zfs_key.so.1 homes=rpool/export/home

root@pamzone:/etc/pam.d#
root@pamzone:/etc/pam.d# cat gdm
# 2016.05.04 Created based on https://blogs.oracle.com/darren/entry/user_user_home_directory_encryption
auth requisite pam_authtok_get.so.1
auth required pam_unix_cred.so.1
auth required pam_unix_auth.so.1
# 2016.05.04 Added for encrypting user's home directory
# Create a new home directory if it does not exist
auth required pam_zfs_key.so.1 create homes=rpool/export/home
# 2016.05.04 End of ZFS encrytion changes
auth required pam_unix_auth.so.1

While Darren shows putting the ZFS encryption features into "/etc/pam.conf" I am putting them into the per-service files in "/etc/pam.d/" as the /etc/pam.conf comments recommend. This has required some testing and retesting for me to get this fully working, which is why I am creating this blog.

Modifying the Configuration


The way to test this is to create a new user. Since I am doing this in a Solaris Zone I can only test text console and network logins. I will demonstrate both, and come back later to show GDM.

First steps are to create the users and to force them to enter a new password when they first log in.

root@pamzone:~# useradd -g 10 -c "user1" -d /export/home/user1 user1 
root@pamzone:~# useradd -g 10 -c "user2" -d /export/home/user2 user2
root@pamzone:~#
root@pamzone:~# passwd user1
New Password: xxx
Re-enter new Password: xxx
passwd: password successfully changed for user1
root@pamzone:~# passwd user2
New Password: xxx
Re-enter new Password: xxx
passwd: password successfully changed for user2
root@pamzone:~#
root@pamzone:~# passwd -f user1
passwd: password information changed for user1
root@pamzone:~# passwd -f user2
passwd: password information changed for user2
root@pamzone:~#

The "-f" option forces the user to enter a new password on their next login by expiring it. Thus only the user knows the password for the wrapping key.

Testing the New Users


Now I will log into the Zone's console from the Global Zone to show the console login step.
admin@global:~$ pfexec zlogin -C pamzone 
[Connected to zone 'pamzone' console]
pamzone console login: user1
Password: xxx
Choose a new password.
New Password: xxx
Re-enter new Password: xxx
login: password successfully changed for user1
Creating home directory with encryption=on.
Your login password will be used as the wrapping key.
Oracle Corporation SunOS 5.11 11.3 February 2016
-bash-4.1$
-bash-4.1$ pwd
/export/home/user1
-bash-4.1$ /usr/sbin/zfs get encryption rpool/export/home/user1
NAME PROPERTY VALUE SOURCE
rpool/export/home/user1 encryption on local
-bash-4.1$

As you can see, a home directory is created automatically, and encryption is set to "on".

The second test is to login in remotely. I am simulating that by going to localhost just for convenience.

root@pamzone:~# ssh user2@localhost 
The authenticity of host 'localhost (::1)' can't be established.
RSA key fingerprint is 1d:e5:ff:2d:1f:b2:db:a0:0a:ff:3b:53:db:e6:3c:68.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (RSA) to the list of known hosts.
Password: xxx
Warning: Your password has expired, please change it now.
New Password: xxx
Re-enter new Password: xxx
sshd-kbdint: password successfully changed for user2
Creating home directory with encryption=on.
Your login password will be used as the wrapping key.
Oracle Corporation SunOS 5.11 11.3 February 2016
-bash-4.1$
-bash-4.1$ pwd
/export/home/user2
-bash-4.1$ /usr/sbin/zfs get encryption rpool/export/home/user1
NAME PROPERTY VALUE SOURCE
rpool/export/home/user1 encryption on local
-bash-4.1$

Again, the ZFS encryption property validates that encryption is on.

Changing a Password


It is good to know I can have my home directory encrypted automatically when I log in the first time. What happens when it is time for me to change my password? Let's see.
-bash-4.1$ passwd 
passwd: Changing password for user2
Enter existing login password: xxx
New Password: xxx
Re-enter new Password: xxx
passwd: password successfully changed for user2
ZFS Key change for rpool/export/home/user2 successful

-bash-4.1$

As you can see, the ZFS wrapping key is updated when I run the "passwd(1)" command.

Mounting an Encrypted File System/Home Directory on Reboot


The above steps created and mounted the users' home directories. Let us take a look what happens on a reboot. The experience is different in a Zone reboot than it is on a system reboot.
root@auth:~# zfs get -r encryption rpool/export/home 
NAME PROPERTY VALUE SOURCE
rpool/export/home encryption off -
rpool/export/home/guest encryption off -
rpool/export/home/user1 encryption on local
rpool/export/home/user2 encryption on local
root@auth:~#
root@auth:~# ls /export/home/*/
/export/home/guest/:
/export/home/user1/:
test1
/export/home/user2/:
test2
root@auth:~#
root@auth:~# reboot
[Connection to zone 'auth' pts/3 closed]
root@global:~#
...
root@global:~# zlogin auth
[Connected to zone 'auth' pts/3]
Oracle Corporation

SunOS 5.11

11.3

February 2016
root@auth:~#
root@auth:~# ls /export/home/*/
/export/home/guest/:
/export/home/user1/:
test1
/export/home/user2/:
test2

root@auth:~#
root@auth:~# ls /export/home/*/test*
/export/home/user1/test1 /export/home/user2/test2
root@auth:~#

Though the Zone was rebooted, it is not necessary to provide wrapping keys for the encrypted file systems. Now let's see what happens when the system reboots.
root@auth:~# ls /export/home/*/test* 
/export/home/*/test*: No such file or directory
root@auth:~#
root@auth:~# ssh user1@localhost
Password: xxx
Oracle Corporation SunOS 5.11 11.3 February 2016
-bash-4.1$ ls
test1
-bash-4.1$ exit
logout
Connection to localhost closed.
root@auth:~#
root@auth:~# ls /export/home/*/test*
/export/home/user1/test1
root@auth:~#
root@auth:~# zfs mount rpool/export/home/user2
Enter passphrase for 'rpool/export/home/user2': xxx
root@auth:~#
root@auth:~# ls /export/home/*/test*
/export/home/user1/test1 /export/home/user2/test2
root@auth:~#

Upon a system reboot it is necessary to provide the wrapping key. With the custom PAM setup, when user1 logs in, the key is provided to mount user1's home directory. A second way of providing the key is when performing a "zfs mount" operation. In the second case, the user with the privileges to run the command must know the wrapping key. I have done that when I access my system remotely after a reboot, and before I added the extra option to mount on remote access.

Testing the Configuration when Logging In on a Desktop


In order to capture the desktop login experience, I need to enable remote GNOME login. I followed the steps at
Setting Up Remote Desktop Access Using VNC in the Solaris 11.3 Desktop Admiminstrator's Guide and tips on Calkins' Blog.

Because desktops need to access devices not available in a Solaris Zone, I created another user user3 in the Global Zone on the system. (First I create a new Boot Environment and reboot into that, so I can delete the changes to the Global Zone.)

Once all set up, I log in.

User Login

Because I force the user to enter a new password, I am prompted to do so.

Expired Password

I enter it (twice.)

Enter New Password

I am told it is successful.

Password Change Successful

As with on the console or a network connection, the system tells me that I have successfully encrypted.

Encryption is On with Login Password

And I can verify that by looking at the ZFS encryption attribute. It is on!

ZFS Encryption is On

So this shows the GNOME version of first login and changing the password to set the ZFS encryption wrapping key.

In Summary


Now you can encrypt your home directory and make sure the wrapping key is up to date whenever you change your password.

I will add one small item since we are changing the PAM configuration files. In Solaris 11.3, when the system is rebooted for any reason, a new feature asked for by some customers is to remind the user of the last login in. This display disappears after ten second or so. To get rid of it quicker you might have to click on OK. AlanC at The Observatory writes how to get rid of that. Here is how do that.

root@global:~# grep nowarn /etc/pam.d/gdm 
session required

pam_unix_session.so.1

nowarn
root@global:~#

Hopefully this all makes someone's life a bit easier and more secure.

Steffen

Revision History

(Other than minor typographical changes)

2016.05.10: Corrected "other" to "gdm" in how to avoid last login warnings

2016.05.06: Small changes to my comments and descriptions

2016.05.05: Posted

2016.05.03: Created

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha
Oracle

Integrated Cloud Applications & Platform Services