On 31.07.24 17:02, void wrote:
Hi,
I was pleasantly surprised when I installed a new [1] zfs-on-root
-current
to rpi4 that when adduser was invoked, I was given the option to
encrypt the homedir. This is a great feature for my context [2].
It doesn't automount on boot but I think this is more of a feature
rather than a bug. One can have a different password to the GELI one used
to boot up the whole system.
I have not tested yet whether one can have the user, once logged in,
mount
their homedir with doas(1). Right now, I mount the homedir like so:
zfs load-key -a (prompts for password)
zfs mount -a
as root.
I could I guess make a doas line for the user for zfs load-key -r
zfsfile/system.
Can anyone suggest any better ideas please?
There is the pam_zfs_key.so PAM session module that should do exactly
what you're looking for if your users login with a password. It should
similar to the pam_ssh.so module if you're already familiar with that
one. Unless users provide the password there isn't much file system or
disk encryption can do for you against hardware theft since the
Raspberry Pi doesn't have any secure key storage nor would the kernel be
able to know when it has been stolen and stop auto-loading the keys.
