openzfsonosx / zfs

OpenZFS on OS X
https://openzfsonosx.org/
Other
824 stars 72 forks source link

Mount encrypted dataset on /Users at boot? #777

Open goahe opened 4 years ago

goahe commented 4 years ago

Hello,

I'm trying to get my system to mount an encrypted dataset to /Users at boot, before the system starts working with the /Users folder.

I modified the /usr/local/libexec/zfs/launchd.d/zpool-import-all.sh to mount my drives, next to importing them, temporarily using keylocation=file:///x/y/z, of course, because otherwise I wouldn't no where to put the passphrase, but that is something we can figure out at a later stage (to see if we can get keyboard interaction at the stage it's required or possibly use the same passphrase as for the boot drive (if that's your setup)?).

I can't find anything about it, so I'm a bit disappointed, because this throws a lot of spanner in the works of what I would like to achieve.

It seems that launchd isn't early enough to mount anything for /Users, so I've been digging around to find something that runs before that, but, unfortunately, up till now, to no avail.

Anybody any ideas or pointers?

lundman commented 4 years ago

The keylocation is generally what ZOL guys do. I know some guys had success storing key in the KeyChain, but I'm not sure how far they got with that.

goahe commented 4 years ago

Hey @lundman

Thank you for the swift reply.

On Linux I had a boot loader that even mounted the encrypted drive as root on boot with PWD intervention, of course.

The biggest part in my question here is; any idea on how I could mount the drive on /Users before the system starts "making decisions" on whether a "user needs to be created", due to the folder being "empty", because it isn't mounted yet?

I've been unable to get this working before they phase, unfortunately.

Every attempt failed me into creating a new user and then, after that, the drive not mounting, because the folder is "not empty"; which is logical, because it isn't, after the system decided to make a new home folder for my primary user, after finding an empty /Users folder.

lundman commented 4 years ago

Ah hmm, that is awkward indeed. Wonder if you could have it not-empty, then force mount over (even though ZFS don't like it), or mount it as union ontop. I've not tried either myself

cbreak-black commented 4 years ago

https://developer.apple.com/library/archive/technotes/tn2228/_index.html#//apple_ref/doc/uid/DTS40007991 has some documentation on how to customize login hooks. I don't know if that's early enough for you. But some of those are used to mount user homedirs.

Have you considered setting your /Users/ directory as canmount=noauto and only mounting the per-user datasets? That way, you can have a separate admin user outside of ZFS, which might help for failure recovery.

0x42h commented 4 years ago

Heeey, but wait a second... You're not actually suggesting that I would need to do something for my desires, right?............ sigh 😒

Yeah, I'm the same guy as above; just logged into an old account, accidentally...

Okay, okay, I get the message. I guess I've been slacking for long enough now.

Let me dig into it and see what comes out, ok?

Meanwhile; please bear with me! groovy https://www.youtube.com/watch?v=-_PzTxqJEDw

0x42h commented 3 years ago

Okay, slightly going off-topic, @lundman, but, I was thinking about a different approach to my wish; using ZFS as my root filesystem and then using Core Storage to take care of full disk encryption. Would that work? So with that I mean:

  1. Use Core Storage to encrypt the entire disk (that will give me the default encryption password prompt for macOS on boot, right?)
  2. create a ZPOOL on the LVG that Core Storage produces in 1.
  3. Have my macOS root filesystem as a ZFS dataset that ZPOOL in 2.

Theoretically, this sound feasible, if I'm not mistaking, but I couldn't find any documentation about it or did I simply not understand the documentation that I could find about Core Storage with ZFS?

I believe I did find some documentation about that without having it boot on that as the root disk, but can it also be done on the boot disk?

I think this setup would be a more sensible way to eliminate the above described issue.

I'll test it out on an SD card, as a test. Any pointer would be well-appreciated.