I always encrypt my hard-drive during install, but since ublue images are refreshed frequently, rebooting happens more often. I would like to have the option to reboot and have the system come back up to a working state without having to enter the password to decrypt the drive on boot. I don’t see an option to just encrypt the home directory during install for example, because if I was able to do that the system could fully boot up, services (plex in this case) would be able to start, and then my files would still be secure since it would be waiting for my login to decrypt /home. Does this sound do-able? Could I just do a normal install without encrypting the hard-drive and then just rework home to be encrypted? More steps I know, just wondering if there’s a simple (just
recipe maybe for the future?) way to do this. I’m using bluefin-dx but assume this is more of a general ublue question. Thanks
I think you need to use the advanced partitioning option in the installer. I haven’t used Bazzite, but the Bluefin installer let me have different encrypted volumes for various mount points. It should let you have root FS unencrypted and home encrypted.
What I don’t know is how you defer the unlock of home until you attempt to login. For my own usecase both volumes are unlocked during boot before the login screen.
I know that systemd has support for managing home directories with per-user encryption (link), but I’m not aware of Fedora’s plans wrt adopting this.
Ah gotcha, I was hoping that with / unencrypted the system could boot, then it’d wait at the login screen for my password and that would also unlock /home… I’ll give the advanced partitioning options a shot and see if I can make that work. Thanks!