pull down to refresh

Most new Linux distributions are switching or already switched to systemd. At the same time systemd got better over time and while it sucked bad 10 years ago, now it's actually decent. Systemd Homed Service provides an interesting solution to having a seamlessly integrated LUKS encrypted home folder. Note that systemd-homed has many other interesting features that we are not going to cover here (like limiting CPU or memory per user, operate remotely, limiting login after some date…).
WARNING: Backup all data from your home folder first, because if you mess this up, you won't have access to it. WARNING: Do not use this for a server/machine that you are ssh-ing into. Since the ssh keys are in the home folder, they are unreadable by default and so you would have to introduce various workarounds that are imo not worth it. WARNING: This is not a solution to perfect privacy or anonymity. Only your /home folder is encrypted and so evil maid can still trick you into giving away your juicy secrets. Also there can be sensitive data outside your /home folder that you may not be aware of, e.g. in /tmp.

PREPARATION

We will run all following commands under root user (using command sudo su) . This is a dangerous territory, so follow the next steps carefully. If you don't, you may not be able to boot into your system anymore. Make sure you have backup linux distribution on a USB drive.
Remove existing user(s) (optional & dangerous)
You can do this now if you are brave (or installing a new system), or you can do it after you confirm that homed based user works.
userdel -r username

INSTALL AND ENABLE SYSTEMD-HOMED

Run sudo su if you haven't yet.
# check if homectl is running (it may be already part of your systemd install) homectl # if not available, install it apt install systemd-homed # start homed now and enable it to be started on every boot systemctl enable systemd-homed.service --now # check if homectl is running now homectl

CREATE NEW USER WITH SYSTEMD-HOMED

# create the user (change USERNAME to your new username) homectl create USERNAME --storage=luks # another option: you can specify your shell, e.g. if you have zsh installed, then homectl create USERNAME --shell=/usr/bin/zsh --storage=luks # And that's it. # If you are lucky this should correctly decrypt the folder when you sign in with the user. # see the details about the user homectl inspect USERNAME # Add user to sudo group. This is important/useful especially on Debian. usermod -aG sudo USERNAME
And that's it. Now you can reboot your machine.
Recover/Update
# update property homectl update USERNAME --_property_=_VALUE_ # unpack the home directory if needed from outside losetup -fP --show /home/USERNAME.home cryptsetup open /dev/_loopXpY_ user_oldhome #likely /dev/loop0p1 mount /dev/mapper/user_oldhome /mnt/user_oldhome

Resources

Why would you do this vs just encrypting the whole drive? Most linux distributions let you do that, and it ensures that nothing is left unencrypted, like /tmp files and what not.
reply
In general full disk encryption is more secure.
However, you will wind up with a logistical issue if you ever want to reboot that machine (or it reboots due to power failure) and you are not physically present to type in password at grub stage to unencrypt.
There are solutions to that (embedding ssh server in initrd, tang servers, etc) but one of the benefits of systemd-home + luks is that you get a system that can be rebooted remotely and boots normally - only home will stay safely encrypted until you connect and login.
reply
In general if you are running just a single linux distro on your machine, then encrypting the whole drive is better. There are couple cases like when you run Raspberry Pi that could make the system quite slow with whole drive encryption.
reply
stackers have outlawed this. turn on wild west mode in your /settings to see outlawed content.