I always encrypt my hard-drive during install, but since ublue images are refreshed frequently, rebooting happens more often. I would like to have the option to reboot and have the system come back up to a working state without having to enter the password to decrypt the drive on boot. I don’t see an option to just encrypt the home directory during install for example, because if I was able to do that the system could fully boot up, services (plex in this case) would be able to start, and then my files would still be secure since it would be waiting for my login to decrypt /home. Does this sound do-able? Could I just do a normal install without encrypting the hard-drive and then just rework home to be encrypted? More steps I know, just wondering if there’s a simple (just recipe maybe for the future?) way to do this. I’m using bluefin-dx but assume this is more of a general ublue question. Thanks
I think you need to use the advanced partitioning option in the installer. I haven’t used Bazzite, but the Bluefin installer let me have different encrypted volumes for various mount points. It should let you have root FS unencrypted and home encrypted.
What I don’t know is how you defer the unlock of home until you attempt to login. For my own usecase both volumes are unlocked during boot before the login screen.
I know that systemd has support for managing home directories with per-user encryption (link), but I’m not aware of Fedora’s plans wrt adopting this.
Ah gotcha, I was hoping that with / unencrypted the system could boot, then it’d wait at the login screen for my password and that would also unlock /home… I’ll give the advanced partitioning options a shot and see if I can make that work. Thanks!
When I enabled this on Pop_OS/Ubuntu years ago (encrypted /home, everything else unencrypted), the glue that made it work were the PAM modules and a whole bunch of config file overrides.
Manual creation of the config files was a PITA. There were utilities (largely now deprecated) that handled the configuration and modules, built to simplify the enable/disable, like eCryptfs. But I wouldn’t trust any of them these days.
For the record, this is the model Android switched to I think around Android 12 - no more FDE and instead left the “signed” root images unencrypted. Once you enter your PIN, that unlocks your home and signs you into your services.
At first that was a big NO! But after validating signed kernels and initramfs via keys I installed, I can see how such a system is secure - as long as there aren’t “other” certs there, like an NSA pubkey (see Microsoft Windows, lol).
That’s what drove me to Universal-Blue was this concept - to sign and prevent booting modified images.
Over the decades, having FDE has cost me and my family well over a dozen formats across many distros when an update fails, and you get the dreaded GRUB menu. Having the ability to only encrypt /var/home, would resolve that (if signed images are hardened).
Wow… I just tested it, and it worked out of the box!
This worked because it did prompt at the initial “drive mounting” of the initramfs mounting/boot procedure. So yes, the kernel was loaded with LUKS, initramfs ran, detecting the encrypted /var/home, and prompted me for a password.
So the good news is you can have just an encrypted /var/home, and the rest of the drive unencrypted.
The bad news is, you are still prompted to unlock the disk at the initial start before the sysinit runs - so none of the systemd services get loaded and running without interaction.
For the latter, I’d suspect you have to modify /etc/fstab to remove /var/home so the initramfs script will skip mounting everything at boot. However, that will require at the least a PAM module inserted BELOW the local password PAM, that runs only after the password module passes, and then UNLOCKS any specified partition (e.g. maybe /var/home/$USERNAME ?).
How did I do this? The new Aurora installer has a brand spanking new Disk Management feature that IMO seems to be the most robust of any I have used in decades. If you properly define EFI, BOOT, and root, it automatically picked them up and auto-assigned the mounts to /boot/efi, /boot, and /. Home, I just created another partition on another disk and specified /var/home, and it worked!
Haven’t ever tried this feature, but have you tried adding a new user with encrypted home after the installation?
It’s just sudo homectl create <username>
I guess it should just work even in Universal Blue images.