From <https://openzfs.github.io/openzfs-docs/man/8/zfs-load-key.8.html#Encryption>: > … Creating an encrypted dataset requires specifying the > encryption and keyformat properties at creation time, … – at, not after. If possible, please enhance adduser to allow: * specification of the required properties at the time of creation of the file system for the home directory. adduser(8) <https://www.freebsd.org/cgi/man.cgi?query=adduser&sektion=8&manpath=FreeBSD> Note, from <https://www.freebsd.org/cgi/man.cgi?query=passwd&sektion=5&manpath=FreeBSD#BUGS> for passwd(5): > User information should (and eventually will) be stored elsewhere. …
This is a feature I've wanted myself. I'll take a crack at it.
Pull request: https://github.com/freebsd/freebsd-src/pull/881
(In reply to John Grafton from comment #2) This should really be an opt-out feature instead of an opt-in one (in other words, if `zfs list -o name "${homeprefix}" 2>/dev/null` returned a dataset, then ZFS should be used, unless the administrator specified otherwise). And the ZFS options should be mostly inherited from the parent, especially `mountpoint`. It can cause a lot of problem when the system is being backed up to a remote one with `zfs send`. For compression, atime, etc. it's usually specified by the parent instead of being set individually, therefore I'd recommend not providing default for zfs creation options and tell user that they can say encryption=on, etc. if they choose to.
(In reply to Xin LI from comment #3) The PR has been updated to your specification from comment #3. For the encryption option, my thought is to default to using a passphrase that's asked for at the end of the question list in interactive mode. In batch mode, the user would need to provide a file with the key? Haven't decided on the best way to handle this scenario. Opinions welcome! These sound like sane defaults to me keeping in mind that the key can always be changed later on with 'zfs change-key'. Interactive session w/ encryption enabled example: root@freebsd:/usr/src/usr.sbin/adduser # sh adduser.sh Username: bob Full name: bob mcbob Uid [1009]: Login group [bob]: Login group is bob. Invite bob into other groups? []: Login class [default]: Shell (sh csh tcsh git-shell nologin) [sh]: Home directory [/home/bob]: Home directory permissions (Leave empty for default): Encrypt ZFS home dataset? [no]: yes Use password-based authentication? [no]: Lock out the account after creation? [no]: Username : bob Password : <disabled> Full Name : bob mcbob Uid : 1009 ZFS dataset : zroot/home/bob Encrypted : yes Class : Groups : bob Home : /home/bob Home Mode : Shell : /bin/sh Locked : no OK? (yes/no) [yes]: yes Encryption passphrase for dataset (must be at least 8 characters) Enter new passphrase: Re-enter new passphrase: adduser.sh: INFO: Successfully created ZFS dataset (zroot/home/bob). adduser.sh: INFO: Successfully added (bob) to the user database. Add another user? (yes/no) [no]: Goodbye!
Merged: https://github.com/freebsd/freebsd-src/commit/215c0a5158f17f515f365fc28a9ff0b367be8fc9
Ah, sorry, I've mistakenly assigned this PR to imp@ as I thought that it has been resolved (and the patch has been committed by imp@). Reopening..
Nevermind, the commit message says: > Also support ZFS default encryption on user's home directory. So I guess that this PR can be closed.
Thanks!