Most new Linux distributions are switching or already switched to
systemd
. At the same time systemd
got better over time and while it sucked bad 10 years ago, now it's actually decent.
Systemd Homed Service provides an interesting solution to having a seamlessly integrated LUKS encrypted home folder. Note that systemd-homed
has many other interesting features that we are not going to cover here (like limiting CPU or memory per user, operate remotely, limiting login after some date…).WARNING: Backup all data from your home folder first, because if you mess this up, you won't have access to it. WARNING: Do not use this for a server/machine that you are ssh-ing into. Since the ssh keys are in the home folder, they are unreadable by default and so you would have to introduce various workarounds that are imo not worth it. WARNING: This is not a solution to perfect privacy or anonymity. Only your /home folder is encrypted and so evil maid can still trick you into giving away your juicy secrets. Also there can be sensitive data outside your /home folder that you may not be aware of, e.g. in /tmp.
PREPARATION
We will run all following commands under
root
user (using command sudo su
) . This is a dangerous territory, so follow the next steps carefully. If you don't, you may not be able to boot into your system anymore. Make sure you have backup linux distribution on a USB drive.Remove existing user(s) (optional & dangerous)
You can do this now if you are brave (or installing a new system), or you can do it after you confirm that homed based user works.
userdel -r username
INSTALL AND ENABLE SYSTEMD-HOMED
Run
sudo su
if you haven't yet.# check if homectl is running (it may be already part of your systemd install) homectl # if not available, install it apt install systemd-homed # start homed now and enable it to be started on every boot systemctl enable systemd-homed.service --now # check if homectl is running now homectl
CREATE NEW USER WITH SYSTEMD-HOMED
# create the user (change USERNAME to your new username) homectl create USERNAME --storage=luks # another option: you can specify your shell, e.g. if you have zsh installed, then homectl create USERNAME --shell=/usr/bin/zsh --storage=luks # And that's it. # If you are lucky this should correctly decrypt the folder when you sign in with the user. # see the details about the user homectl inspect USERNAME # Add user to sudo group. This is important/useful especially on Debian. usermod -aG sudo USERNAME
And that's it. Now you can reboot your machine.
Recover/Update
# update property homectl update USERNAME --_property_=_VALUE_ # unpack the home directory if needed from outside losetup -fP --show /home/USERNAME.home cryptsetup open /dev/_loopXpY_ user_oldhome #likely /dev/loop0p1 mount /dev/mapper/user_oldhome /mnt/user_oldhome