Feature request: Enable use of ZFS datasets and optionally GELI

Niels Kobschaetzki niels at kobschaetzki.net
Mon Nov 20 20:46:12 CET 2017


But why? That‘s just files in an encrypted container. You don’t need to fork pass for that. Actually you just have to create the zfs set, put geli on top of it, strip pass of its encryption functions and that‘s it. But even on my FreeBSD-machine (and iirc GELI is only available on FBSD; not even the other big BSDs habe it, only those derived from FBSD) I can’t see any advantage over the normal pass except that I don’t need GPG which I have installed anyways for other stuff (like encrypted passphrases used by mutt etc to access accounts). And if someone breaks into my machine the zfs set/GELI is mounted and she can read all my passwords. To prevent that I need to encrypt my files again with GPG. What exactly have I won now?

Niels

> On 20. Nov 2017, at 20:27, Daniel Jensen <debdrup at gmail.com> wrote:
> 
> I was thinking that GELI could encrypt a ZFS dataset which contains subdirectories in which each file is stored.
> 
> I’m still in the early days of putting the idea together, since it needs to be a fork, so there’s probably stuff to worked out.
> 
>> On 20 Nov 2017, at 20.22, Niels Kobschaetzki <niels at kobschaetzki.net> wrote:
>> 
>> Isn’t GELI a GEOM-class? and those are for GEOMs, how are single files like pass uses them GEOMs? Do you want to create a zfs set for each password and then put GELI on top of that to encrypt it?
>> 
>> Niels
>> 
>>> On 20. Nov 2017, at 19:58, Daniel Jensen <debdrup at gmail.com> wrote:
>>> 
>>> So it’s probably better to fork pass into zpass or something similar, since it’ll be exclusively for ZFS datasets and can optionally use GELI instead of GPG.
>>> 
>>> Will give it some thought, but perhaps it wasn’t really a good idea for a feature request after-all.
>>> 
>>> For reference, here are some links that should work:
>>> https://man.freebsd.org/geli(8)
>>> https://man.freebsd.org/ggatel(8)
>>> 
>>>> On 20 Nov 2017, at 19.51, Kenny Evitt <kenny.evitt at gmail.com> wrote:
>>>> 
>>>> (Don't forget to 'reply all' to keep the thread on the list.)
>>>> 
>>>> Those links don't work for me. But I was able to get at least a sense of what `geli` and `ggatel` are based on some cursory review of Google search results for those terms. Basically, FreeBSD can encrypt arbitrary filesystems.
>>>> 
>>>> I can't think of what support Pass could have that would be relevant to these features. What specifically do you want to do with Pass and these features that you can't currently?
>>>> 
>>>> First, being only available on FreeBSD seems pretty limiting. Why would Pass add features only available on one platform?
>>>> 
>>>> Second, why would you want to combine those features with Pass? Or are you requesting that Pass be modified to (optionally?) make use of the FreeBSD filesystem encryption features *instead* of using GPG (and any other extensions available)?
>>>> 
>>>> I don't speak for the author and maintainer, but I'd guess this would make more sense as a Pass-like or Pass-inspired project.
>>>> 
>>>> Pass repos are just directories with GPG-encrypted files. (There's some conventions about what keys should be used to encrypt which files based on *.gpg-id* files in the root directory or sub-directories.) They can also be a Git repo for tracking changes. But besides that they're (perfectly?) independent of any specific filesystem. Would adding support for the FreeBSD GEOM features change that?
>>>> 
>>>>> On Mon, Nov 20, 2017 at 8:15 AM, Daniel Jensen <debdrup at gmail.com> wrote:
>>>>> Well, it’s a feature that’ll pretty much only work on FreeBSD since it requires GEOM.
>>>>> 
>>>>> GEOM ELI (https://man.freebsd.org/geli(8)) and GGATEL (https://man.freebsd.org/ggatel(8)) can be used to mount a disk image as a directory, which is where pass stores its data structure.
>>>>> 
>>>>>  
>>>>>> On 20 Nov 2017, at 14.09, Kenny Evitt <kenny.evitt at gmail.com> wrote:
>>>>>> 
>>>>>> I'm using ZFS on some servers, but not with Pass. What kind of features would you want to add to Pass related to ZFS or ZFS datasets?
>>>>>> 
>>>>>> What's GELI?
>>>>>> 
>>>>>> Depending on what it is exactly that you want, it could probably be implemented as a Pass extension. I'm pretty skeptical that these features, whatever they are, would be sensibly added to Pass itself.
>>>>>> 
>>>>>>> On Sun, Nov 19, 2017 at 12:22 PM D. Ebdrup <debdrup at gmail.com> wrote:
>>>>>>> ZFS datasets and GELI are really powerful things and would be a great 
>>>>>>> 
>>>>>>> addition to password-store, so I’m wondering if it’s possible to 
>>>>>>> 
>>>>>>> implement this.
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> Alternative, if it’s something I can figure out to do, or find someone 
>>>>>>> 
>>>>>>> with the skill to add it, is it a feature that would be accepted?
>>>>>>> 
>>>>>>> 
>>>>>>> _______________________________________________
>>>>>>> 
>>>>>>> Password-Store mailing list
>>>>>>> 
>>>>>>> Password-Store at lists.zx2c4.com
>>>>>>> 
>>>>>>> https://lists.zx2c4.com/mailman/listinfo/password-store
>>>>>>> 
>>>>> 
>>>> 
>>> 
>>> _______________________________________________
>>> Password-Store mailing list
>>> Password-Store at lists.zx2c4.com
>>> https://lists.zx2c4.com/mailman/listinfo/password-store
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20171120/4b142f93/attachment.html>


More information about the Password-Store mailing list