From nobody Mon Aug 30 12:00:16 2021
X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 3B39A179892F
	for <freebsd-hackers@mlmmj.nyi.freebsd.org>; Mon, 30 Aug 2021 12:00:17 +0000 (UTC)
	(envelope-from eric@metricspace.net)
Received: from mail.metricspace.net (static-74-106-232-4.bltmmd.fios.verizon.net [74.106.232.4])
	by mx1.freebsd.org (Postfix) with ESMTP id 4GypmJ5Znbz3K9f
	for <freebsd-hackers@freebsd.org>; Mon, 30 Aug 2021 12:00:16 +0000 (UTC)
	(envelope-from eric@metricspace.net)
Received: from [IPv6:2001:470:1f11:617:3210:b3ff:fe77:becd] (unknown [IPv6:2001:470:1f11:617:3210:b3ff:fe77:becd])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	(Authenticated sender: eric)
	by mail.metricspace.net (Postfix) with ESMTPSA id A16D98AFE
	for <freebsd-hackers@freebsd.org>; Mon, 30 Aug 2021 12:00:16 +0000 (UTC)
To: "freebsd-hackers@freebsd.org" <freebsd-hackers@freebsd.org>
From: Eric McCorkle <eric@metricspace.net>
Subject: autounmountd unload ZFS keys
Message-ID: <79ba78a2-7125-144a-cff9-41dde28d0599@metricspace.net>
Date: Mon, 30 Aug 2021 08:00:16 -0400
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:78.0) Gecko/20100101
 Thunderbird/78.12.0
List-Id: Technical discussions relating to FreeBSD <freebsd-hackers.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-hackers
List-Help: <mailto:freebsd-hackers+help@freebsd.org>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Subscribe: <mailto:freebsd-hackers+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-hackers+unsubscribe@freebsd.org>
Sender: owner-freebsd-hackers@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Rspamd-Queue-Id: 4GypmJ5Znbz3K9f
X-Spamd-Bar: +
Authentication-Results: mx1.freebsd.org;
	dkim=none;
	dmarc=none;
	spf=none (mx1.freebsd.org: domain of eric@metricspace.net has no SPF policy when checking 74.106.232.4) smtp.mailfrom=eric@metricspace.net
X-Spamd-Result: default: False [1.14 / 15.00];
	 RCVD_VIA_SMTP_AUTH(0.00)[];
	 ARC_NA(0.00)[];
	 FREEFALL_USER(0.00)[eric];
	 FROM_HAS_DN(0.00)[];
	 TO_MATCH_ENVRCPT_ALL(0.00)[];
	 MIME_GOOD(-0.10)[text/plain];
	 PREVIOUSLY_DELIVERED(0.00)[freebsd-hackers@freebsd.org];
	 DMARC_NA(0.00)[metricspace.net];
	 AUTH_NA(1.00)[];
	 RCPT_COUNT_ONE(0.00)[1];
	 NEURAL_SPAM_MEDIUM(1.00)[0.998];
	 NEURAL_HAM_SHORT(-1.00)[-0.999];
	 NEURAL_SPAM_LONG(0.14)[0.139];
	 TO_DN_EQ_ADDR_ALL(0.00)[];
	 R_SPF_NA(0.00)[no SPF record];
	 RCVD_NO_TLS_LAST(0.10)[];
	 FROM_EQ_ENVFROM(0.00)[];
	 R_DKIM_NA(0.00)[];
	 MIME_TRACE(0.00)[0:+];
	 ASN(0.00)[asn:701, ipnet:74.106.224.0/19, country:US];
	 RCVD_COUNT_TWO(0.00)[2];
	 MID_RHS_MATCH_FROM(0.00)[]
X-ThisMailContainsUnwantedMimeParts: N

Hello all,

I finally got some free time to hack on FreeBSD again.  I have a patch
that will enable autounmountd to unload ZFS encryption keys whenever it
unmounts a ZFS dataset:

https://reviews.freebsd.org/D31725

This is the first of a pair which I'm planning to do, which will enable
you to have encrypted ZFS home directories managed by autofs, which will
only have the keys loaded while a given user is logged in.  (This is a
common requirement in standards for high-security systems.)  The next
one I'm planning to work on is a pam module that will load ZFS keys upon
a successful login.