Feature request: Enable use of ZFS datasets and optionally GELI

Daniel Jensen debdrup at gmail.com
Mon Nov 20 20:27:20 CET 2017 

I was thinking that GELI could encrypt a ZFS dataset which contains subdirectories in which each file is stored.

I’m still in the early days of putting the idea together, since it needs to be a fork, so there’s probably stuff to worked out.

> On 20 Nov 2017, at 20.22, Niels Kobschaetzki <niels at kobschaetzki.net> wrote:
> 
> Isn’t GELI a GEOM-class? and those are for GEOMs, how are single files like pass uses them GEOMs? Do you want to create a zfs set for each password and then put GELI on top of that to encrypt it?
> 
> Niels
> 
> On 20. Nov 2017, at 19:58, Daniel Jensen <debdrup at gmail.com <mailto:debdrup at gmail.com>> wrote:
> 
>> So it’s probably better to fork pass into zpass or something similar, since it’ll be exclusively for ZFS datasets and can optionally use GELI instead of GPG.
>> 
>> Will give it some thought, but perhaps it wasn’t really a good idea for a feature request after-all.
>> 
>> For reference, here are some links that should work:
>> https://man.freebsd.org/geli(8) <https://man.freebsd.org/geli(8)>
>> https://man.freebsd.org/ggatel(8) <https://man.freebsd.org/ggatel(8)>
>> 
>>> On 20 Nov 2017, at 19.51, Kenny Evitt <kenny.evitt at gmail.com <mailto:kenny.evitt at gmail.com>> wrote:
>>> 
>>> (Don't forget to 'reply all' to keep the thread on the list.)
>>> 
>>> Those links don't work for me. But I was able to get at least a sense of what `geli` and `ggatel` are based on some cursory review of Google search results for those terms. Basically, FreeBSD can encrypt arbitrary filesystems.
>>> 
>>> I can't think of what support Pass could have that would be relevant to these features. What specifically do you want to do with Pass and these features that you can't currently?
>>> 
>>> First, being only available on FreeBSD seems pretty limiting. Why would Pass add features only available on one platform?
>>> 
>>> Second, why would you want to combine those features with Pass? Or are you requesting that Pass be modified to (optionally?) make use of the FreeBSD filesystem encryption features *instead* of using GPG (and any other extensions available)?
>>> 
>>> I don't speak for the author and maintainer, but I'd guess this would make more sense as a Pass-like or Pass-inspired project.
>>> 
>>> Pass repos are just directories with GPG-encrypted files. (There's some conventions about what keys should be used to encrypt which files based on *.gpg-id* files in the root directory or sub-directories.) They can also be a Git repo for tracking changes. But besides that they're (perfectly?) independent of any specific filesystem. Would adding support for the FreeBSD GEOM features change that?
>>> 
>>> On Mon, Nov 20, 2017 at 8:15 AM, Daniel Jensen <debdrup at gmail.com <mailto:debdrup at gmail.com>> wrote:
>>> Well, it’s a feature that’ll pretty much only work on FreeBSD since it requires GEOM.
>>> 
>>> GEOM ELI (https://man.freebsd.org/geli(8)) <https://man.freebsd.org/geli(8))> and GGATEL (https://man.freebsd.org/ggatel(8)) <https://man.freebsd.org/ggatel(8))> can be used to mount a disk image as a directory, which is where pass stores its data structure.
>>> 
>>>  
>>>> On 20 Nov 2017, at 14.09, Kenny Evitt <kenny.evitt at gmail.com <mailto:kenny.evitt at gmail.com>> wrote:
>>>> 
>>>> I'm using ZFS on some servers, but not with Pass. What kind of features would you want to add to Pass related to ZFS or ZFS datasets?
>>>> 
>>>> What's GELI?
>>>> 
>>>> Depending on what it is exactly that you want, it could probably be implemented as a Pass extension. I'm pretty skeptical that these features, whatever they are, would be sensibly added to Pass itself.
>>>> 
>>>> On Sun, Nov 19, 2017 at 12:22 PM D. Ebdrup <debdrup at gmail.com <mailto:debdrup at gmail.com>> wrote:
>>>> ZFS datasets and GELI are really powerful things and would be a great 
>>>> 
>>>> addition to password-store, so I’m wondering if it’s possible to 
>>>> 
>>>> implement this.
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> Alternative, if it’s something I can figure out to do, or find someone 
>>>> 
>>>> with the skill to add it, is it a feature that would be accepted?
>>>> 
>>>> 
>>>> _______________________________________________
>>>> 
>>>> Password-Store mailing list
>>>> 
>>>> Password-Store at lists.zx2c4.com <mailto:Password-Store at lists.zx2c4.com>
>>>> 
>>>> https://lists.zx2c4.com/mailman/listinfo/password-store <https://lists.zx2c4.com/mailman/listinfo/password-store>
>>>> 
>>> 
>>> 
>> 
>> _______________________________________________
>> Password-Store mailing list
>> Password-Store at lists.zx2c4.com <mailto:Password-Store at lists.zx2c4.com>
>> https://lists.zx2c4.com/mailman/listinfo/password-store <https://lists.zx2c4.com/mailman/listinfo/password-store>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20171120/f40ce536/attachment-0001.html>

More information about the Password-Store mailing list