# Encrypted jails?



## zennybsd (Jul 29, 2013)

Hi:

I would like to know how could one achieve something as described below:


 Create separate ZFS datasets for separate jails. (`zfs create` may do, I guess)
 Encrypt each dataset with different keys (not the zpool itself only jails, this is where I am stuck as ZFS v28 has no encryption feature enabled as against Solaris' v30). This is a confusing part.
 Feed the encryption key (not mere password) remotely using SSH. In Linux, it is possible with 
`gpg < jail101.key | ssh [email=root@jail101.domain.tld]root@jail101.domain.tld[/email] \
 "xxd -p -r | losetup -p 0 -e twofish -k 256 -H sha512 /dev/loop0 /dev/md2"`. What is the FreeBSDish way?

Thanks in advance.


----------



## blazingice (Jul 29, 2013)

zennybsd said:
			
		

> Hi:
> 
> 1. Create separate ZFS datasets for separate jails. (`zfs create` may do, I guess)



I use sysutils/ezjail. This has the option to create a new zfs dataset for each new jail that you create. All you have to do is set this in /usr/local/etc/ezjail.conf:

```
ezjail_use_zfs="YES"
ezjail_use_zfs_for_jails="YES"
ezjail_jailzfs="tank0/usr/jails"
```



> 2. Encrypt each dataset with different keys (not the zpool itself only jails, this is where I am stuck as ZFS v28 has no encryption feature enabled as against Solaris' v30). This is a confusing part.



Usually people use geli+zfs, but this would encrypt the whole zpool, which is something that you don't want, unless you put all your jails in a different zpool. Otherwise have a look at pefs. I don't have any experience with this, but I have read that PC-BSD is using it to encrypt home directories, while still using zfs. You can change the settings to encrypt only the jail directories.


----------



## zennybsd (Jul 29, 2013)

blazingice said:
			
		

> I use sysutils/ezjail. This has the option to create a new zfs dataset for each new jail that you create. All you have to do is set this in /usr/local/etc/ezjail.conf:
> 
> ```
> ezjail_use_zfs="YES"
> ...



Thanks. How can one use permission delegation to zfs datasets using 'zfs allow user permissions dataset' using ezjail?




			
				blazingice said:
			
		

> Usually people use geli+zfs, but this would encrypt the whole zpool, which is something that you don't want, unless you put all your jails in a different zpool. Otherwise have a look at pefs. I don't have any experience with this, but I have read that PC-BSD is using it to encrypt home directories, while still using zfs. You can change the settings to encrypt only the jail directories.



Thanks for pointing to pefs, sounds interesting except it support 128-bit encryption, it would be nice if someone shares their experience with pefs with 256-bit encryption.


----------



## storvi_net (Jul 29, 2013)

May I ask what you want to achieve?
Why each jail has to be encrypted with an independent key?

Regards
Markus


----------



## blazingice (Jul 29, 2013)

zennybsd said:
			
		

> Thanks. How can one use permission delegation to zfs datasets using 'zfs allow user permissions dataset' using ezjail?



I'm not sure if I understood you right, but `ezjail-admin create JAILNAME` is run as root. I don't think you can run it as a normal user, so there is no point delegating zfs permissions to other users.


----------



## gkontos (Jul 29, 2013)

zennybsd said:
			
		

> Hi:
> 
> I would like to know how could one achieve something as described below:
> 
> ...



You can create GELI encrypted ZVOLs and format them as UFS2. That would be the easiest way IMO. Something like that would do it:

`zfs create -V 10G /tank/jails/myjail1`
`dd if=/dev/random of=/tank/jails/myjail1`
`geli init -s 4096 -K /tank/jails/myjail1 /dev/zvol/jails/myjail1`
`geli attach -k /tank/jails/myjail1 /dev/zvol/jails/myjail1`
`bsdlabel -w -B /dev/zvol/jails/myjail1`
`newfs -U -L jail1 /dev/zvol/jails/myjail1`
`mount /dev/ufs/myjail1 /usr/jails/myjail1`


----------



## graudeejs (Jul 29, 2013)

gkontos said:
			
		

> You can create GELI encrypted ZVOLs and format them as UFS2. That would be the easiest way IMO. Something like that would do it:
> 
> `zfs create -V 10G /tank/jails/myjail1`
> `dd if=/dev/random of=/tank/jails/myjail1`
> ...



You don't need to create bsdlabels. You can run `# newfs` straight after `geli attach`.


----------



## kpa (Jul 29, 2013)

I don't get what the encryption would buy you unless you want to secure the data when the system is offline. When the system is up and running everything in the jail is fully readable from the host system by superuser regardless of the encryption.


----------



## zennybsd (Jul 30, 2013)

kpa said:
			
		

> I don't get what the encryption would buy you unless you want to secure the data when the system is offline. When the system is up and running everything in the jail is fully readable from the host system by superuser regardless of the encryption.



Yes, you are absolutely right. 

I am searching for a file-level system encryption like ciphertite (reading about pefs, and still looking forward to more inputs about peks experience by someone in this forum) which does not seem possible right at the moment with FreeBSD, or correct me if I am mistaken!

My scenario is a single machine with several development jails, handled by different members of the team. Some of the team members want their jails locked to themselves. Therefore the problem arose.



			
				blazingice said:
			
		

> I use sysutils/ezjail. This has the option to create a new zfs dataset for each new jail that you create. All you have to do is set this in /usr/local/etc/ezjail.conf:
> 
> ```
> ezjail_use_zfs="YES"
> ...



ezjail is a very nice pointer. Thanks. BTW, when I read http://erdgeist.org/arts/software/ezjail/#Slowstart, there is a provision of encrypting the jails,



> To create encrypted image jails, use the -c switch and either pass bde or eli and follow the instructions on screen:
> 
> `ezjail-admin create -c eli -i 16G example.com 10.0.0.3`



But I didn't see a way to do the same with an encryption key, or did I miss something? Thanks


----------



## storvi_net (Jul 30, 2013)

The jails are separated by each other.

I do not know any virtualization technology, where the administrator does not have full access to any virtual machine. 

Regards
Markus


----------



## SirDice (Jul 30, 2013)

zennybsd said:
			
		

> My scenario is a single machine with several development jails, handled by different members of the team. Some of the team members want their jails locked to themselves. Therefore the problem arose.


If the jail is running the data is accessible, something everyone that starts with encryption seems to forget. The filesystem needs to be unencrypted or the system can't run it.

Filesystem encryption is only useful to prevent someone physically stealing the server from being able to access your data.


----------



## zennybsd (Jul 30, 2013)

storvi_net said:
			
		

> The jails are separated by each other.
> 
> I do not know any virtualization technology, where the administrator does not have full access to any virtual machine.
> 
> ...



The problem is not the access to the jails by the administrator, but between the owners of the development jails because the sudoer has broken one of the jails of the jail-ownerN. Therefore, the latter is asking to not to mess with his work in jailN by sudoer who is also jail-owner1.


```
Jail Administrator (BaseJail0)----------------------------
                 |                      |                 |
               jail1                  jail2             jailN
                 |                      |                 | 
           sudoer+jail-owner1      jail-owner2      jail-ownerN
```


And that is the reason I am trying to figure out file-level encryption. Maybe pefs is the way to go or wait for more inputs and suggestions. 

@storvi_net and @SirDice: Thanks for your inputs!


----------



## storvi_net (Jul 30, 2013)

If you are using sudo, you could adjust the file /etc/sudoers by using `visudo`, so that the owner of jail 1 just can administrate in his scope. 

So you could achieve your target by appliying a whitelist.

Regards
Markus


----------



## SirDice (Jul 31, 2013)

zennybsd said:
			
		

> The problem is not the access to the jails by the administrator, but between the owners of the development jails because the sudoer has broken one of the jails of the jail-ownerN. Therefore, the latter is asking to not to mess with his work in jailN by sudoer who is also jail-owner1.


Filesystem encryption isn't going to help you with this. You should probably look into what @storvi_net said.


----------

