@prefix : . @prefix schema: . @prefix skos: . @prefix prov: . @prefix owl: . @prefix rdfs: . @prefix xsd: . @prefix dbr: . @prefix foaf: . ############################################################## ## PRIMARY DOCUMENTS ############################################################## :githubRepo a schema:SoftwareSourceCode, schema:TechArticle ; schema:name "eZFS2FA+ GitHub Repository" ; schema:url "https://github.com/BillieBadin/eZFS2FA"^^xsd:anyURI ; schema:description "Source code and documentation for eZFS2FA+: hardened encrypted ZFS dataset management with FIDO2 two-factor authentication for FreeBSD and Linux." ; schema:datePublished "2026-05-11"^^xsd:date ; schema:license "https://opensource.org/licenses/MIT"^^xsd:anyURI ; schema:author :billeBadin ; schema:programmingLanguage "Python", "Shell" ; schema:version "1.0.0" ; schema:keywords "FreeBSD", "ZFS", "FIDO2", "encryption", "2FA", "security", "Linux" ; prov:wasAttributedTo :billeBadin, :sigoryxEngineering . :linkedInPost a schema:SocialMediaPosting ; schema:name "This is what FreeBSD-first looks like when someone actually means it." ; schema:url "https://www.linkedin.com/posts/vvoss_this-is-what-freebsd-first-looks-like-when-share-7459874878171693056-wqRH"^^xsd:anyURI ; schema:description "Vivian Voss's LinkedIn commentary praising eZFS2FA+ by Billie Badin — highlighting honest threat modeling, zero lock-in design, and the Pi-BSD development platform." ; schema:datePublished "2026-05-11"^^xsd:date ; schema:author :vivianVoss ; schema:about :eZFS2FAPlus ; schema:mentions :billeBadin, :piBSD, :freeBSD, :linux . ############################################################## ## PEOPLE AND ORGANISATIONS ############################################################## :billeBadin a schema:Person, foaf:Person ; schema:name "Billie Badin" ; schema:url "https://www.linkedin.com/in/billiesabouraud/"^^xsd:anyURI ; schema:jobTitle "FIEAust, CPEng — ICT Expert & Digital Innovator" ; schema:affiliation :sigoryxEngineering ; schema:description "Creator of eZFS2FA+. Credentials: FIEAust, CPEng. Expert in mission-critical infrastructure, multicultural leadership, and secure scalable solutions." ; owl:sameAs dbr:FreeBSD ; # placeholder — not the person, but linked domain rdfs:seeAlso . :vivianVoss a schema:Person, foaf:Person ; schema:name "Vivian Voss" ; schema:url "https://www.linkedin.com/in/vvoss/"^^xsd:anyURI ; schema:jobTitle "System Architect & Philosopher" ; schema:description "Advocate of sustainable system design, technical beauty through reduction, root-cause elimination, and Wabi-Sabi (侘寂) principles. Authored the LinkedIn commentary on eZFS2FA+." ; rdfs:seeAlso . :sigoryxEngineering a schema:Organization ; schema:name "SIGORYX Engineering" ; schema:description "Engineering organisation behind eZFS2FA+, founded or associated with Billie Badin." ; rdfs:seeAlso . ############################################################## ## THE SOFTWARE TOOL ############################################################## :eZFS2FAPlus a schema:SoftwareApplication ; schema:name "eZFS2FA+" ; schema:alternateName "eZFS2FA" ; schema:applicationCategory "Security / Disk Encryption / Multi-Factor Authentication" ; schema:operatingSystem "FreeBSD", "Linux" ; schema:description "A hardened FreeBSD-first interactive workflow that wraps encrypted OpenZFS dataset keys with FIDO2-backed two-factor authentication. Linux-compatible. Transient key material is held in malloc-backed md(4) on FreeBSD and ramfs on Linux — never touching stable storage or swappable memory." ; schema:url "https://github.com/BillieBadin/eZFS2FA"^^xsd:anyURI ; schema:version "1.0.0" ; schema:datePublished "2026-05-11"^^xsd:date ; schema:license "https://opensource.org/licenses/MIT"^^xsd:anyURI ; schema:author :billeBadin ; schema:featureList "FIDO2 hardware token wrapping (Yubico and compatible)", "Passphrase wrapping (or combined with FIDO2)", "Multiple enrolled keys support", "Single JSON state file for wrapped-key backups", "Service-start prerequisite checks", "Delayed forced locking", "Optional lock-time ZFS snapshots", "Zero lock-in: raw ZFS key exportable for zfs send" ; schema:programmingLanguage "Python", "Shell" ; schema:softwareRequirements "python3, python3-cryptography, libfido2 (FreeBSD) / fido2-tools (Linux)" ; prov:wasAttributedTo :billeBadin ; rdfs:seeAlso . ############################################################## ## CORE CONCEPTS ############################################################## :freeBSDFirstDesign a skos:Concept ; skos:prefLabel "FreeBSD-First Design" ; skos:definition "An architectural philosophy where FreeBSD is the primary target platform and its native primitives are used explicitly, rather than treating FreeBSD and Linux as interchangeable systems. eZFS2FA+ exemplifies this by using mdmfs -M on FreeBSD while providing Linux compatibility via ramfs." ; skos:broader :operatingSystemArchitecture ; rdfs:seeAlso ; owl:sameAs dbr:FreeBSD . :transientKeyMaterial a skos:Concept ; skos:prefLabel "Transient Key Material" ; skos:definition "Cryptographic key data held exclusively in volatile RAM-backed storage (mdmfs -M on FreeBSD, ramfs on Linux), ensuring it is never written to stable or swappable storage and is wiped immediately after use." ; skos:broader :diskEncryptionSecurity ; rdfs:seeAlso . :mallocBackedMD a skos:Concept ; skos:prefLabel "Malloc-backed md(4) via mdmfs -M" ; skos:definition "A FreeBSD mechanism that creates a memory disk (md(4)) backed by kernel malloc memory — not by a file, swap, or device. When mounted with mdmfs -M, the filesystem lives entirely in non-swappable kernel memory, making it ideal for transient cryptographic key storage." ; skos:broader :transientKeyMaterial ; rdfs:seeAlso . :zeroLockIn a skos:Concept ; skos:prefLabel "Zero Lock-in Principle" ; skos:definition "The design principle that the raw ZFS encryption key can be backed up and used independently of eZFS2FA+, so the framework is optional once the key is secured. The user retains full ownership of their dataset independent of any tooling." ; skos:broader :openSourcePhilosophy ; rdfs:seeAlso . :honestThreatModel a skos:Concept ; skos:prefLabel "Honest Threat Model" ; skos:definition "The explicit statement of what a security tool protects against and what it does not. eZFS2FA+ protects against a powered-off machine being lost, stolen, or imaged — but explicitly disclaims protection against a live root/kernel compromise at unlock time." ; skos:broader :securityEngineering ; rdfs:seeAlso . :fido2Authentication a skos:Concept ; skos:prefLabel "FIDO2 Hardware Token Authentication" ; skos:definition "Authentication using a FIDO2-compatible hardware security key (e.g., YubiKey) to wrap the ZFS encryption key. The token must be physically present and activated to unlock the dataset, providing a second factor beyond possession of the encrypted data." ; skos:broader :multiFactorAuthentication ; rdfs:seeAlso ; owl:sameAs dbr:FIDO2_Project . :openZFSEncryption a skos:Concept ; skos:prefLabel "OpenZFS Native Encryption" ; skos:definition "The built-in encryption capability of the OpenZFS filesystem, allowing datasets to be encrypted with a key that is managed separately from the data. eZFS2FA+ wraps this key with FIDO2 hardware tokens." ; skos:broader :diskEncryptionSecurity ; rdfs:seeAlso ; owl:sameAs dbr:ZFS . :piBSD a schema:SoftwareApplication, skos:Concept ; skos:prefLabel "Pi-BSD" ; skos:definition "A FreeBSD-based system for Raspberry Pi and similar single-board computers, used as the development platform for eZFS2FA+. Billie Badin developed eZFS2FA+ on a Pi-BSD system running on an untethered, battery-powered stack." ; rdfs:seeAlso . :wabisabiDesign a skos:Concept ; skos:prefLabel "Wabi-Sabi System Design (侘寂)" ; skos:definition "A design philosophy applied to software systems by Vivian Voss: finding beauty through reduction, impermanence, and the acceptance of imperfection. Applied to eZFS2FA+: the deliberate, hand-built, minimal approach to hardened infrastructure — small, purposeful, and self-contained." ; skos:broader :softwarePhilosophy ; rdfs:seeAlso ; owl:sameAs dbr:Wabi-sabi . ############################################################## ## TECHNOLOGIES REFERENCED ############################################################## :freeBSD a schema:SoftwareApplication ; schema:name "FreeBSD" ; schema:description "An advanced open-source Unix-like operating system known for its stability, performance, and advanced networking. The primary target platform of eZFS2FA+." ; schema:url "https://www.freebsd.org/"^^xsd:anyURI ; rdfs:seeAlso ; owl:sameAs dbr:FreeBSD . :linux a schema:SoftwareApplication ; schema:name "Linux" ; schema:description "Open-source Unix-like operating system kernel. Secondary compatibility target of eZFS2FA+, using ramfs for transient key storage in place of FreeBSD's mdmfs -M." ; schema:url "https://www.kernel.org/"^^xsd:anyURI ; owl:sameAs dbr:Linux . :yubico a schema:Organization ; schema:name "Yubico" ; schema:description "Manufacturer of YubiKey hardware security tokens, which implement FIDO2/WebAuthn and are compatible with eZFS2FA+." ; schema:url "https://www.yubico.com/"^^xsd:anyURI ; owl:sameAs dbr:Yubico . ############################################################## ## HOW-TO GUIDE (5 steps) ############################################################## :howToUseEZFS2FAPlus a schema:HowTo ; schema:name "How to Secure a ZFS Dataset with eZFS2FA+ and FIDO2" ; schema:description "Step-by-step workflow for deploying eZFS2FA+ to protect a FreeBSD or Linux encrypted ZFS dataset with hardware two-factor authentication." ; schema:supply "FreeBSD or Linux host with OpenZFS, FIDO2-compatible hardware token (e.g., YubiKey), Python 3, eZFS2FA+ v1.0.0" ; schema:step :step1, :step2, :step3, :step4, :step5 . :step1 a schema:HowToStep ; schema:position 1 ; schema:name "Install Dependencies" ; schema:text "On FreeBSD: install python3, py-cryptography, and libfido2 via ports or pkg. On Linux: install python3-cryptography and fido2-tools. Then clone the eZFS2FA+ repo: git clone https://github.com/BillieBadin/eZFS2FA.git" . :step2 a schema:HowToStep ; schema:position 2 ; schema:name "Run the Installer" ; schema:text "Execute the installation script with appropriate privileges: `doas sh ./install.sh` (FreeBSD) or `sudo sh ./install.sh` (Linux). The installer sets up the tool and configures the required system paths." . :step3 a schema:HowToStep ; schema:position 3 ; schema:name "Enrol Your FIDO2 Token" ; schema:text "Follow the interactive workflow to enrol your FIDO2-compatible hardware token. You may also enrol a passphrase, or use both (recommended for maximum protection). The wrapped key is stored in a JSON state file." . :step4 a schema:HowToStep ; schema:position 4 ; schema:name "Configure and Lock Your Dataset" ; schema:text "Configure the encrypted ZFS dataset to remain locked at boot. Set up service-start checks so that dependent services only start after the dataset is unlocked. Optionally configure delayed forced locking and lock-time snapshots." . :step5 a schema:HowToStep ; schema:position 5 ; schema:name "Unlock at Operator Request" ; schema:text "To unlock the dataset, present your FIDO2 token (and passphrase if configured). The transient ZFS key is materialised in malloc-backed md(4)/ramfs, the dataset is unlocked, and the key is wiped immediately. Dependent services may then start." . ############################################################## ## FAQ (10 Q&A pairs) ############################################################## :faq a schema:FAQPage ; schema:name "eZFS2FA+ Frequently Asked Questions" ; schema:mainEntity :q1, :q2, :q3, :q4, :q5, :q6, :q7, :q8, :q9, :q10 . :q1 a schema:Question ; schema:name "What does eZFS2FA+ protect against?" ; schema:acceptedAnswer [ a schema:Answer ; schema:text "It protects against a powered-off machine being lost, stolen, or imaged. The ZFS dataset cannot be decrypted without physical possession of the enrolled FIDO2 hardware token and (if configured) the passphrase." ] . :q2 a schema:Question ; schema:name "What does eZFS2FA+ NOT protect against?" ; schema:acceptedAnswer [ a schema:Answer ; schema:text "It does not protect against a live, fully compromised root or kernel at the time of unlock. If an attacker has root access while you are unlocking the dataset, the key can be extracted from memory." ] . :q3 a schema:Question ; schema:name "Why is FreeBSD the first-class platform?" ; schema:acceptedAnswer [ a schema:Answer ; schema:text "eZFS2FA+ uses FreeBSD's mdmfs -M (malloc-backed md(4)) for transient key storage, a native primitive with superior memory isolation guarantees. Linux support uses ramfs as a compatible alternative, but FreeBSD's primitives are used where they exist rather than pretending the two systems are interchangeable." ] . :q4 a schema:Question ; schema:name "How is the ZFS encryption key kept secure during unlock?" ; schema:acceptedAnswer [ a schema:Answer ; schema:text "The raw ZFS key is materialised only in malloc-backed md(4) memory (FreeBSD) or ramfs (Linux) — never in normal filesystems or swappable memory. It is wiped immediately after use. It never touches hard storage at any point." ] . :q5 a schema:Question ; schema:name "Can I use eZFS2FA+ with multiple hardware tokens?" ; schema:acceptedAnswer [ a schema:Answer ; schema:text "Yes. eZFS2FA+ supports multiple enrolled FIDO2 keys. Any one of the enrolled tokens can be used to unlock the dataset, enabling backup-key workflows." ] . :q6 a schema:Question ; schema:name "What is the zero lock-in principle?" ; schema:acceptedAnswer [ a schema:Answer ; schema:text "The raw ZFS encryption key can be backed up independently of eZFS2FA+. If you back up this key securely offline, you can decrypt your dataset with standard ZFS tools without eZFS2FA+ at any time. The framework is optional, not mandatory." ] . :q7 a schema:Question ; schema:name "What is the JSON state file?" ; schema:acceptedAnswer [ a schema:Answer ; schema:text "A single JSON file that stores the wrapped (encrypted) copies of the ZFS key for each enrolled token. This file can be backed up for disaster recovery. The raw key is never stored — only the wrapped form." ] . :q8 a schema:Question ; schema:name "What is Pi-BSD and why was it used?" ; schema:acceptedAnswer [ a schema:Answer ; schema:text "Pi-BSD is a FreeBSD system for Raspberry Pi and compatible single-board computers. Billie Badin developed eZFS2FA+ on a Pi-BSD installation running on an untethered battery-powered stack — a deliberate, minimal, hand-built environment." ] . :q9 a schema:Question ; schema:name "Can I use a passphrase instead of a hardware token?" ; schema:acceptedAnswer [ a schema:Answer ; schema:text "Yes. eZFS2FA+ supports passphrase-only wrapping, FIDO2-token-only wrapping, or both combined (recommended). Using both maximises security by requiring physical token presence and knowledge of the passphrase." ] . :q10 a schema:Question ; schema:name "Is eZFS2FA+ suitable for removable or mirrored media?" ; schema:acceptedAnswer [ a schema:Answer ; schema:text "Support for encrypted ZFS removable media (including mirrored configurations) is listed as coming soon. Proxmox Server Solutions integration is also in progress to extend eZFS2FA+ to lab environments." ] . ############################################################## ## GLOSSARY (10 terms) ############################################################## :glossary a skos:ConceptScheme ; skos:prefLabel "eZFS2FA+ Glossary" ; skos:hasTopConcept :termFIDO2, :termMdmfs, :termOpenZFS, :termRamfs, :termWrappedKey, :termTransientKey, :termZeroLockIn, :termThreatModel, :termMFA, :termPiBSD . :termFIDO2 a skos:Concept ; skos:prefLabel "FIDO2" ; skos:definition "An open authentication standard (Fast Identity Online 2) enabling passwordless and hardware-token-based authentication. In eZFS2FA+, a FIDO2 hardware token wraps the ZFS encryption key." ; skos:inScheme :glossary ; rdfs:seeAlso . :termMdmfs a skos:Concept ; skos:prefLabel "mdmfs -M (malloc-backed md)" ; skos:definition "A FreeBSD command that creates and mounts a memory filesystem backed by kernel malloc memory, not by swap or a file. Provides a volatile, non-swappable filesystem ideal for transient cryptographic material." ; skos:inScheme :glossary ; rdfs:seeAlso . :termOpenZFS a skos:Concept ; skos:prefLabel "OpenZFS" ; skos:definition "An open-source implementation of the ZFS filesystem with native encryption support. eZFS2FA+ secures OpenZFS-encrypted datasets by wrapping their encryption keys with FIDO2 hardware tokens." ; skos:inScheme :glossary ; rdfs:seeAlso . :termRamfs a skos:Concept ; skos:prefLabel "ramfs" ; skos:definition "A Linux in-memory filesystem that cannot be swapped to disk. Used by eZFS2FA+ on Linux to hold the transient ZFS key, analogous to mdmfs -M on FreeBSD." ; skos:inScheme :glossary . :termWrappedKey a skos:Concept ; skos:prefLabel "Wrapped Key" ; skos:definition "A ZFS encryption key that has been encrypted (wrapped) with a FIDO2 hardware token or passphrase. The wrapped key is stored in the JSON state file; the raw key can only be recovered by presenting the original wrapping credential." ; skos:inScheme :glossary . :termTransientKey a skos:Concept ; skos:prefLabel "Transient Key Material" ; skos:definition "The raw ZFS encryption key in its usable form, held only in volatile RAM memory during the unlock window and wiped immediately after use. Never persisted to stable or swappable storage." ; skos:inScheme :glossary . :termZeroLockIn a skos:Concept ; skos:prefLabel "Zero Lock-in" ; skos:definition "A design principle ensuring that users can always recover their data without the eZFS2FA+ tool, by maintaining an offline backup of the raw ZFS key usable with standard ZFS commands." ; skos:inScheme :glossary . :termThreatModel a skos:Concept ; skos:prefLabel "Threat Model" ; skos:definition "A formal statement of what a security system protects against and what it does not. eZFS2FA+'s stated threat model: protection against offline attack (lost/stolen/imaged powered-off machine), not against live root compromise." ; skos:inScheme :glossary . :termMFA a skos:Concept ; skos:prefLabel "Multi-Factor Authentication (MFA)" ; skos:definition "Authentication requiring two or more independent credentials. eZFS2FA+ implements MFA for ZFS dataset unlock via FIDO2 hardware token possession (something you have) and optional passphrase (something you know)." ; skos:inScheme :glossary . :termPiBSD a skos:Concept ; skos:prefLabel "Pi-BSD" ; skos:definition "FreeBSD for Raspberry Pi and ARM single-board computers. Used as the development platform for eZFS2FA+, reflecting the project's commitment to minimal, deliberate, hand-built infrastructure." ; skos:inScheme :glossary . ############################################################## ## KNOWLEDGE GRAPH PROVENANCE ############################################################## :knowledgeGraph a schema:Dataset, prov:Entity ; schema:name "eZFS2FA+ FreeBSD Hardened ZFS 2FA Knowledge Graph" ; schema:description "RDF-Turtle knowledge graph merging Vivian Voss's LinkedIn commentary and the eZFS2FA+ GitHub repository by Billie Badin (SIGORYX Engineering). Generated by Claude (claude-sonnet-4-6) via Cowork desktop using the kg-generator skill." ; schema:dateCreated "2026-05-11"^^xsd:date ; schema:url "ezfs2fa-freebsd-hardened-zfs-2fa-claude-sonnet-1.ttl"^^xsd:anyURI ; prov:wasDerivedFrom :githubRepo, :linkedInPost ; prov:wasGeneratedBy [ a prov:Activity ; schema:name "kg-generator + rdf-infographic-skill via Claude Sonnet on Cowork" ; prov:wasAssociatedWith [ a schema:SoftwareApplication ; schema:name "claude-sonnet-4-6" ; schema:url "https://claude.ai"^^xsd:anyURI ] ] .