# FreeBSD and Home Encryption



## unbalancedskunk (Nov 20, 2022)

İ wonder that is it possible to encrypt home folder? If not, can you advise me good encryption tool for encrypting my data? I know Veracrypt and looking for other.
Note: I again typed u im really sorry but its habit. There is nothing intentional.


----------



## monwarez (Nov 20, 2022)

You can have a look at sysutils/pefs-kmod, you will just need to have a robust password to ensure the good encryption of the data.


----------



## mer (Nov 20, 2022)

If you are running at least 13.0 and using ZFS, why not take a look at ZFS native encryption?
It's per dataset (which you can make each user home directory a distinct dataset)









						OpenZFS Native Encryption
					

Starting with 13.0, FreeBSD supports OpenZFS native encryption. Learn more about how native encryption is different from GELI, what benefits it adds, how to create encrypted databases, and more.




					klarasystems.com


----------



## Profighost (Nov 20, 2022)

you may consider if the whole /home/ needs to be encrypted.
E.g. I put sensible data into an encrypted file (can do this additionally though.)
Or on my mpbile computers the whole disk is encrypted - including home.

Another way could be to mount /home onto an own encrypted partition or disk.
ZFS, as mer mentioned, offers good possibilties for that,
but it's also possible with ufs.
(Handbook and other How tos you'll find quickly describe how to do it. It's not rocket sciences.)


----------



## tanis (Nov 20, 2022)

I have used PEFS on top of ZFS to encrypt my home directories for the past couple years. Worked like a charm, unfortunately when I upgraded from 12.3 to 13.1 something went wrong (probably my fault) and I was unable to reliable decrypt my home directory using PEFS.  So I switched from PEFS to ZFS native encryption for encrypting my home directories and restored all my data from my daily backup. So far it works, the only drawback is that when I logout my home directory stays mounted and unencrypted. This is not an big issue for me, as encryption shall protect me against hardware theft and when I travel I always power down my laptop.


----------



## monwarez (Nov 20, 2022)

tanis said:


> I have used PEFS on top of ZFS to encrypt my home directories for the past couple years. Worked like a charm, unfortunately when I upgraded from 12.3 to 13.1 something went wrong (probably my fault) and I was unable to reliable decrypt my home directory using PEFS.


I think it was not your fault, between 13.0 and 13.1 a new version of ZFS was merged and caused PEFS to failed to reliably works: locking a file did not work, and you could have multiple times the same files. It is now fixed with the last version as for now (I did not check if mounting pefs on top of a nfs mount still work ).

ZFS Native encryption for me just need to have a pam module to be a real replacement for PEFS. But it have the advantage to be in the source tree, and so will not break between upgrade.


----------



## tanis (Nov 20, 2022)

monwarez said:


> I think it was not your fault, between 13.0 and 13.1 a new version of ZFS was merged and caused PEFS to failed to reliably works: locking a file did not work, and you could have multiple times the same files. It is now fixed with the last version as for now (I did not check if mounting pefs on top of a nfs mount still work ).



That's exactly what I experienced, thanks for clearing that up for me.



monwarez said:


> ZFS Native encryption for me just need to have a pam module to be a real replacement for PEFS. But it have the advantage to be in the source tree, and so will not break between upgrade.


Idk, if you are aware of the following thread in particular the following posting: pam_zfs_key .

That's what I'm currently using and my experience I described in my initial posting.


----------

