I'd like to set up a FreeBSD installation with only my home directory encrypted. I've fiddled with GELI, and I'd like the machine to be one I can reboot remotely, so typing a password in at boot is a non-starter.
I'm aware that it's possible to do an encrypted user directory that is automatically decrypted at login using PEFS and its PAM module (e.g., https://forums.freebsd.org/threads/pefs-encrypted-directory.67204/), and I think this would work for me in general, though I'm a little wary of the various failure modes with being able to write to the directory while it's still encrypted.
For that reason and general interest in using fewer subsystems simultaneously, I'm wondering if there's a way to do something similar using ZFS native encryption, since I'm intending use root-on-ZFS. I know ZFS can encrypt individual datasets (Klara Systems seems to have a nice tutorial on the basics), and it's clear that I could make my home directory live in such a dataset. But I haven't been able to find any information on doing decryption at login, only manually decrypting via entering the key or just having an encryption key in a file such that it gets decrypted as soon as the system is booted (and for that matter, leaving the key on an unencrypted dataset). Has anyone successfully done this before, or does anyone know where to start?
I'm aware that it's possible to do an encrypted user directory that is automatically decrypted at login using PEFS and its PAM module (e.g., https://forums.freebsd.org/threads/pefs-encrypted-directory.67204/), and I think this would work for me in general, though I'm a little wary of the various failure modes with being able to write to the directory while it's still encrypted.
For that reason and general interest in using fewer subsystems simultaneously, I'm wondering if there's a way to do something similar using ZFS native encryption, since I'm intending use root-on-ZFS. I know ZFS can encrypt individual datasets (Klara Systems seems to have a nice tutorial on the basics), and it's clear that I could make my home directory live in such a dataset. But I haven't been able to find any information on doing decryption at login, only manually decrypting via entering the key or just having an encryption key in a file such that it gets decrypted as soon as the system is booted (and for that matter, leaving the key on an unencrypted dataset). Has anyone successfully done this before, or does anyone know where to start?