Encrypted jails?

[zennybsd]

Hi:

I would like to know how could one achieve something as described below:

• Create separate ZFS datasets for separate jails. ( zfs create may do, I guess)
• Encrypt each dataset with different keys (not the zpool itself only jails, this is where I am stuck as ZFS v28 has no encryption feature enabled as against Solaris' v30). This is a confusing part.
• Feed the encryption key (not mere password) remotely using SSH. In Linux, it is possible with
  gpg < jail101.key | ssh [email=root@jail101.domain.tld]root@jail101.domain.tld[/email] \
"xxd -p -r | losetup -p 0 -e twofish -k 256 -H sha512 /dev/loop0 /dev/md2". What is the FreeBSDish way?

Thanks in advance.

 

[blazingice]

Hi:

1. Create separate ZFS datasets for separate jails. ( zfs create may do, I guess)

I use sysutils/ezjail. This has the option to create a new zfs dataset for each new jail that you create. All you have to do is set this in /usr/local/etc/ezjail.conf:

ezjail_use_zfs="YES"
ezjail_use_zfs_for_jails="YES"
ezjail_jailzfs="tank0/usr/jails"

2. Encrypt each dataset with different keys (not the zpool itself only jails, this is where I am stuck as ZFS v28 has no encryption feature enabled as against Solaris' v30). This is a confusing part.

Usually people use geli+zfs, but this would encrypt the whole zpool, which is something that you don't want, unless you put all your jails in a different zpool. Otherwise have a look at pefs. I don't have any experience with this, but I have read that PC-BSD is using it to encrypt home directories, while still using zfs. You can change the settings to encrypt only the jail directories.

 

[zennybsd]

I use sysutils/ezjail. This has the option to create a new zfs dataset for each new jail that you create. All you have to do is set this in /usr/local/etc/ezjail.conf:

ezjail_use_zfs="YES"
ezjail_use_zfs_for_jails="YES"
ezjail_jailzfs="tank0/usr/jails"

Thanks. How can one use permission delegation to zfs datasets using 'zfs allow user permissions dataset' using ezjail?

Usually people use geli+zfs, but this would encrypt the whole zpool, which is something that you don't want, unless you put all your jails in a different zpool. Otherwise have a look at pefs. I don't have any experience with this, but I have read that PC-BSD is using it to encrypt home directories, while still using zfs. You can change the settings to encrypt only the jail directories.

Thanks for pointing to pefs, sounds interesting except it support 128-bit encryption, it would be nice if someone shares their experience with pefs with 256-bit encryption.

 

[storvi_net]

May I ask what you want to achieve?
Why each jail has to be encrypted with an independent key?

Regards
Markus

 

[blazingice]

Thanks. How can one use permission delegation to zfs datasets using 'zfs allow user permissions dataset' using ezjail?

I'm not sure if I understood you right, but ezjail-admin create JAILNAME is run as root. I don't think you can run it as a normal user, so there is no point delegating zfs permissions to other users.

 

[gkontos]

Hi:

I would like to know how could one achieve something as described below:

• Create separate ZFS datasets for separate jails. ( zfs create may do, I guess)
• Encrypt each dataset with different keys (not the zpool itself only jails, this is where I am stuck as ZFS v28 has no encryption feature enabled as against Solaris' v30). This is a confusing part.
• Feed the encryption key (not mere password) remotely using SSH. In Linux, it is possible with
  gpg < jail101.key | ssh [email=root@jail101.domain.tld]root@jail101.domain.tld[/email] \
"xxd -p -r | losetup -p 0 -e twofish -k 256 -H sha512 /dev/loop0 /dev/md2". What is the FreeBSDish way?

Thanks in advance.

You can create GELI encrypted ZVOLs and format them as UFS2. That would be the easiest way IMO. Something like that would do it:

zfs create -V 10G /tank/jails/myjail1
dd if=/dev/random of=/tank/jails/myjail1
geli init -s 4096 -K /tank/jails/myjail1 /dev/zvol/jails/myjail1
geli attach -k /tank/jails/myjail1 /dev/zvol/jails/myjail1
bsdlabel -w -B /dev/zvol/jails/myjail1
newfs -U -L jail1 /dev/zvol/jails/myjail1
mount /dev/ufs/myjail1 /usr/jails/myjail1

 

[graudeejs]

You can create GELI encrypted ZVOLs and format them as UFS2. That would be the easiest way IMO. Something like that would do it:

zfs create -V 10G /tank/jails/myjail1
dd if=/dev/random of=/tank/jails/myjail1
geli init -s 4096 -K /tank/jails/myjail1 /dev/zvol/jails/myjail1
geli attach -k /tank/jails/myjail1 /dev/zvol/jails/myjail1
bsdlabel -w -B /dev/zvol/jails/myjail1
newfs -U -L jail1 /dev/zvol/jails/myjail1
mount /dev/ufs/myjail1 /usr/jails/myjail1

You don't need to create bsdlabels. You can run # newfs straight after geli attach.

 

[kpa]

I don't get what the encryption would buy you unless you want to secure the data when the system is offline. When the system is up and running everything in the jail is fully readable from the host system by superuser regardless of the encryption.

 

[zennybsd]

I don't get what the encryption would buy you unless you want to secure the data when the system is offline. When the system is up and running everything in the jail is fully readable from the host system by superuser regardless of the encryption.

Yes, you are absolutely right.

I am searching for a file-level system encryption like ciphertite (reading about pefs, and still looking forward to more inputs about peks experience by someone in this forum) which does not seem possible right at the moment with FreeBSD, or correct me if I am mistaken!

My scenario is a single machine with several development jails, handled by different members of the team. Some of the team members want their jails locked to themselves. Therefore the problem arose.

I use sysutils/ezjail. This has the option to create a new zfs dataset for each new jail that you create. All you have to do is set this in /usr/local/etc/ezjail.conf:

ezjail_use_zfs="YES"
ezjail_use_zfs_for_jails="YES"
ezjail_jailzfs="tank0/usr/jails"

ezjail is a very nice pointer. Thanks. BTW, when I read http://erdgeist.org/arts/software/ezjail/#Slowstart, there is a provision of encrypting the jails,

To create encrypted image jails, use the -c switch and either pass bde or eli and follow the instructions on screen:

ezjail-admin create -c eli -i 16G example.com 10.0.0.3

But I didn't see a way to do the same with an encryption key, or did I miss something? Thanks

 

[storvi_net]

The jails are separated by each other.

I do not know any virtualization technology, where the administrator does not have full access to any virtual machine.

Regards
Markus

 

[SirDice]

My scenario is a single machine with several development jails, handled by different members of the team. Some of the team members want their jails locked to themselves. Therefore the problem arose.

If the jail is running the data is accessible, something everyone that starts with encryption seems to forget. The filesystem needs to be unencrypted or the system can't run it.

Filesystem encryption is only useful to prevent someone physically stealing the server from being able to access your data.

 

[zennybsd]

The jails are separated by each other.

I do not know any virtualization technology, where the administrator does not have full access to any virtual machine.

Regards
Markus

The problem is not the access to the jails by the administrator, but between the owners of the development jails because the sudoer has broken one of the jails of the jail-ownerN. Therefore, the latter is asking to not to mess with his work in jailN by sudoer who is also jail-owner1.

Jail Administrator (BaseJail0)----------------------------
                 |                      |                 |
               jail1                  jail2             jailN
                 |                      |                 | 
           sudoer+jail-owner1      jail-owner2      jail-ownerN

And that is the reason I am trying to figure out file-level encryption. Maybe pefs is the way to go or wait for more inputs and suggestions.

@storvi_net and @SirDice: Thanks for your inputs!

 

[storvi_net]

If you are using sudo, you could adjust the file /etc/sudoers by using visudo, so that the owner of jail 1 just can administrate in his scope.

So you could achieve your target by appliying a whitelist.

Regards
Markus

 

[SirDice]

The problem is not the access to the jails by the administrator, but between the owners of the development jails because the sudoer has broken one of the jails of the jail-ownerN. Therefore, the latter is asking to not to mess with his work in jailN by sudoer who is also jail-owner1.

Filesystem encryption isn't going to help you with this. You should probably look into what @storvi_net said.