This How to considers ZFS is setup as zroot/home i.e. the default - if not, make changes accordingly.
Configuring PAM to automatically (be able to) mount your zfs home directory on login:
/etc/pam.d/system
and to change zfs key alongside with your password:
/etc/pam.d/passwd
This works fine with
and on
(lightdm-gtk-greeter works too).
On login it asks for password once and logs you in, mounting encrypted home properly.
works as intended. Only difference is that when you change password for your_user as root, it will first ask for Old Passphrase. Which you can ignore (Enter) if the user does not have Encrypted ZFS dataset. If your_user does have Encrypted home, your_user will need to change his zfs key passphrase later on to match his login password.
For ssh to work you need:
/usr/local/etc/doas.conf
And to mount home after ssh login:
Configuring PAM to automatically (be able to) mount your zfs home directory on login:
/etc/pam.d/system
Code:
auth required pam_unix.so no_warn try_first_pass nullok
auth optional pam_zfs_key.so try_first_pass homes=zroot/home
session optional pam_zfs_key.so homes=zroot/homeand to change zfs key alongside with your password:
/etc/pam.d/passwd
Code:
password optional pam_zfs_key.so homes=zroot/home
password required pam_unix.so no_warn try_first_pass nullokThis works fine with
adduserand on
login(lightdm-gtk-greeter works too).
On login it asks for password once and logs you in, mounting encrypted home properly.
passwdworks as intended. Only difference is that when you change password for your_user as root, it will first ask for Old Passphrase. Which you can ignore (Enter) if the user does not have Encrypted ZFS dataset. If your_user does have Encrypted home, your_user will need to change his zfs key passphrase later on to match his login password.
For ssh to work you need:
/usr/local/etc/doas.conf
Code:
permit nopass your_user as root cmd zfs args mount -l zroot/home/your_userAnd to mount home after ssh login:
doas zfs mount -l zroot/home/your_user
