Tuesday, November 30, 2010

ZFS encryption at ${HOME}

A nice addition to easily use of ZFS encryption for home directories will be available in a future version of Solaris 11. This will allow you to have your password as key for your home dataset which is automatically used at login:

"For users with local ZFS storage we want to provide a very simple and as transparent as possible way of using encrypted ZFS datasets. The target for this is laptops and systems with local ZFS storage for the users home directory.

The goal is to provide as seemless as possible a way to have an encrypted home directory and additional encrypted datasets below the home directory. A new PAM module pam_zfs_key.so will be introduced. This module supports only pam_sm_setcred(3PAM) and pam_sm_chauthtok(3PAM), pam_sm_authenticate(3PAM) is provided but always returns PAM_IGNORE.

It assumes that the users login passphrase is also the passphrase used to protect thier ZFS encrypted home directory and will ensure that when users change their password the passphrase used for deriving the wrapping key for their encrypted ZFS home directory is changed as well."

Bugid: 6983112

No comments: