Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add encryption option: per-user encrypted homdir #379

Open
wants to merge 10 commits into
base: master
Choose a base branch
from

Conversation

christophhagemann
Copy link

I am no developer, just a somewhat experienced user. I tried my very best to not do something stupid, but I don't know if I succeeded. It works here (TM). Feel free to change anything.

Please note: I'm on debian/testing, not on bullseye. Should make no difference...

Copy link
Member

@rlaager rlaager left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've made a first pass through this. Most of this is minor nitpicking. I haven't had a chance to actually walk through the steps yet.

@rlaager
Copy link
Member

rlaager commented Jan 30, 2023

Am I understanding the theory of operation correctly here? When you login, PAM passes your password to the unlock script. The unlock script does the zfs load-key. Then the system unit mounts your home directory?

At logout, systemd unmounts the home directory and locks it?

As requested by @rlaager - Thanks for the suggestions!
@christophhagemann
Copy link
Author

christophhagemann commented Jan 31, 2023 via email

Thanks for the hints!
- Prevent two race conditions: between unlock (PAM) and mount (systemd) and between mount and the remaining login process
- Minor cosmetic changes
- Added the option to take a snapshot upon logout
@ghost
Copy link

ghost commented Feb 14, 2023

I don't mean to pour cold water on this, just my two cents.

I think that any customization procedures that can be done post-installation -- any that does not involve repartitioning the disks -- should be done post-installation and documented elsewhere, like a blog or a wiki. The guide here should only be a starting point.

The installation guides maintained by myself previously suffered from feature-creep, I added Secure Boot, encrypted boot pool, SSH remote unlock, among others. The main disadvantages are the following:

  • The procedures are not specific to the distro, and could be reused if it's posted on a wiki instead, such as Arch Linux wiki.
  • Whenever the instructions need update, maintainers at openzfs/openzfs-docs must be involved, which increases their workload. In a wiki, they can be updated easily by a volunteer.
  • The burden of testing every possible combination of configuration documented in the guide are shouldered by us, which is quite time-consuming.
  • The extra options make the guide longer and more difficult to follow.

Therefore I moved the instructions to Arch Linux wiki, Alpine wiki, Fedora wiki and NixOS wiki respectively and dropped them from this repo. We now benefit from the oversight of volunteers there, an easier-to-follow installation guide, and less maintenance work. In particular, the NixOS Root on ZFS guide only requires 8 minutes(!) to follow for a multi-disk encrypted installation, excluding time used for downloading live media.

@christophhagemann
Copy link
Author

christophhagemann commented Feb 21, 2023 via email

@gmelikov
Copy link
Member

Personally, I like universal small blocks of info. Have such pages on distros' wiki is good, but it requires to have contributors there.

So, LGTM to have dedicated pages here for these purposes, main thing to have appropriate navigation position for them. Maybe @rlaager or @ne9z have other opinions and may challenge me here.

@grahamperrin
Copy link

I don't suppose that anything here helps, but FYI (merged):

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants