On 21/04/2011 11:05, Dr. David Kirkby wrote:
I went to a talk last night at the London Open Solaris User Group (LOSUG) by
Darren Moffat - an Oracle engineer who had a major role in the ZFS encryption
implementation in Solaris. I was particularly interested in this,as for a long
time I've been concerned about security of data on my laptop.
I decided to try to secure my laptop, which is running Solaris 11 Express. I
want to set the machine up so that during the boot process I get asked to enter
the pass phrase to mount file system with my home directory on.
But I am having problems.
First I create the file system. As expected, Solaris asks for a pass phrase:
drkirkby@laptop:~# zfs create -o compression=on -o encryption=on -o
mountpoint=/export/home/davek rpool/export/home/davek
Enter passphrase for 'rpool/export/home/davek': *******
Enter again: ******
Next I create a file on the file system and check it exists.
drkirkby@laptop:~# touch /export/home/davek/foo
drkirkby@laptop:~# ls /export/home/davek/foo
/export/home/davek/foo
Unmount the encrypted file system
drkirkby@laptop:~# zfs umount rpool/export/home/davek
Check the file I created is no longer available
drkirkby@laptop:~# ls /export/home/davek/foo
/export/home/davek/foo: No such file or directory
Now I get a problem. I was expecting to have to enter the pass
phrase again when attempting to mount the file system, but this is not being
requested. As you can see, I can mount the file system without the pass
phrase and read the data on the file system.
I covered that in the talk last night - in fact we had about a 5 minute
discussion about why it is this way.
If you want the key to go away you need to run:
# zfs key -u rpool/export/home/davek
drkirkby@laptop:~# zfs mount rpool/export/home/davek
drkirkby@laptop:~# ls /export/home/davek/foo
/export/home/davek/foo
drkirkby@laptop:~#
This looks wrong to me, but I've no idea how to solve it.
No it is correct by design.
As I mentioned last night the reason for this is so that delegated
administration of certain properties can work for users that don't have
the 'key' delegation and don't have access to the wrapping keys.
For example changing a mountpoint causes an umount followed by a mount.
There are other changes that under the covers can cause a filesystem
to be temporarily unmounted and remounted.
The next issue is how do I get the file system to mount when the
> machine is booted? I want to supply the pass phrase by typing it in,
> rather than from storing it in USB stick or other similar method.
Since this is your user home directory the ideal way would be a PAM
module that ran during user login and requested the passphrase for the
ZFS encrypted home dir.
There isn't one in Solaris 11 Express (snv_151a) at this time.
Any ideas what I need to do to get this file system to request the
pass phrase before mountin g the file system?
There is source for a prototype PAM module in the old opensolaris.org
zfs-crypto repository:
http://src.opensolaris.org/source/history/zfs-crypto/phase2/usr/src/lib/pam_modules/
You would need to take a clone of that repository and check out
changeset 6749:6dded109490e and see if that old PAM module could be
hacked into submission. Note that it uses private interfaces and doing
so is not supported by any Oracle support contract you have.
--
Darren J Moffat
_______________________________________________
zfs-crypto-discuss mailing list
zfs-crypto-discuss@opensolaris.org
http://mail.opensolaris.org/mailman/listinfo/zfs-crypto-discuss
