oxy3d ago

I need to try out the ssh bit

https://ftfl.ca/blog/2025-12-28-seamless-login-logout-with-a-zfs-encrypted-home-directory.html

#FreeBSD #OpenZFS

Seamless login/logout with ZFS Encrypted Home Directories

Show threadHoward Chu @ Symas
@oxyhyxo sounds like it requires password based ssh login
Mar 29 at 7:08amWeb
Show threadoxy3d ago
@hyc I believe you're correct.
Show threadZimmie3d ago
@hyc @oxyhyxo The authorized_keys file for a user is stored in that user’s home directory by default, and the home directory isn’t decrypted and mounted until after the user successfully authenticates. I can see a few ways it could be made to work, but all would take non-trivial changes to how key-based SSH authentication currently works (e.g, moving user keys to /etc/ssh/userKeys/<username>/authorized_keys, and using agent forwarding to get the user’s private key to decrypt an escrowed ZFS key).
Show threadHoward Chu @ Symas3d ago
@bob_zim @oxyhyxo yeah that sounds pretty difficult. Another option I was thinking was to require the ssh key after password authentication succeeded. But by then an attacker would know the password was accepted.
Show threadGraham Perrin3d ago

@bob_zim @hyc @oxyhyxo also, this review might benefit from more reviewers:

<https://reviews.freebsd.org/D47996>

#FreeBSD #documentation #ZFS #OpenZFS #encryption

⚙ D47996 adduser(8): Add documentation for ZFS encrypted home dataset

Show threadqwertz3d ago

@grahamperrin @bob_zim @hyc @oxyhyxo

It is best to use the lightdm or login pam config file ?

Show threadGraham Perrin3d ago
@qwertz I don't know, sorry.