I’ve read in some GNOME’s developer’s blog that they plan to implement Systemd homed support in GNOME.
From what I’ve read online, homed allows for portable encrypted home directories. I’m not very familiar with it, so I wanted to ask if this would be a good replacement for full disk encryption.
I’m asking this because currently full disk encryption makes it so that you have to type in your password when your computer restarts to apply automatic updates via PackageKit. Not a huge deal, but it would be nice if automatic updates were actually automatic.
I’ve also watched Lennart Poettering’s talk at DevConf 2020 about it, where he says this has some security advantages but to be honest, most of it went over my head, I’m neither a developer or a sysadmin.
I think the issue is that having only an encrypted home dir means that many of your system files are accessible. Also, encrypted home dir can already br implemented fairly easily with LUKS, fscrypt, etc. I could be wrong though, so feel free to correct me if anyone here has better information.
Is this a problem though? I don’t store any personal information outside of my home directory.
The main advantage of homed is that it apparently discards the keys used to decrypt your data when you suspend your device (unlike LUKS that keeps them in ram). I’m not sure how exactly it works or if I’m describing it correctly, that’s why I created this topic.
It’s not a replacement for FDE but an addition. It’d be pretty useful for the Secure Boot scenario where you have FDE with your key stored in TPM/on FIDO2 key: when you turn your PC on decryption of the drive happens automatically without you having to provide FDE password (after ensuring your UKI is not tampered with), but your home directory will still be encrypted until you login.
It is because otherwise anyone with physical access to your drive will be able to plant a backdoor and leak your personal stuff from your home directory after you unlock it. Even a simple systemd service will do.
I have gaming as a use case in my Linux machines. Right now FDE with LUKS is the faster option when it comes to read/writes. Other encryption method seems to be slower, particularly the ones that just encrypt the /home partition.
I think there are two main downsides compared to full disk encryption:
Sensitive data outside your /home folder that you may not be aware of, e.g. in /tmp, is unencrypted
Someone with physical access to your machine could modify the system in a malicious way, e.g. installing a keylogger, which would not be possible if the full disk were encrypted.
Wont it slow down the system even more? If the machine is not meant for high performance task (gaming, ML, rendering, etc), then it should be fine but its now 2 layers of encryption and I bet its gonna use a lot of CPU cycles for a few tasks.