Systemd Homed - hpaluch/hpaluch.github.io GitHub Wiki

systemd-homed

systemd-homed is supposed to support individual encryption of user's HOME directory. So I decided to play with it.

Tested OS:

Fedora Workstation Rawhide verion: 20251219.n.0
url: https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Workstation/x86_64/iso/Fedora-Workstation-Live-Rawhide-20251219.n.0.x86_64.iso

Setup

Setup: system

First I wanted to test if service works, but got:

(run as root):

root# homectl list

Failed to list homes: Could not activate remote peer \
 'org.freedesktop.home1': activation request failed: unknown unit

Fix was surprisingly easy:

(run as root):

root# systemctl enable --now systemd-homed.service
root# homectl list

No home areas.

Now we have to enable systemd-homed PAM service:

(run as root):
root# authselect current

Profile ID: local
Enabled features:
- with-silent-lastlog
- with-mdns4
- with-fingerprint

root# authselect enable-feature with-systemd-homed

- with-systemd-homed is selected, make sure that the system-homed service is enabled
  - systemctl enable --now systemd-homed.service

Setup: create user

Creating user test1 - tried this command:

(run as root):

root# homectl create --enforce-password-policy=no --disk-size=50% test1

Warning! Without specifying --disk-size it will allocate 85% of your free disk space - which is often too much... See: https://www.freedesktop.org/software/systemd/man/latest/homectl.html Next we should enable systemd-homed in profile

And now try local login with test1 user...

I recommend to switch to local console with Ctrl-Alt-F3
and try to login as test1 user
in my case I have to login 2 times. There is already discussion at: https://discussion.fedoraproject.org/t/systemd-homed-first-login-attempt-is-unsuccessful-second-attempt-always-works/155106
to verify that your HOME is encrypted, try:

test1$ homectl inspect | grep -E '(Directory|Storage|Image Path):'
   Directory: /home/test1
     Storage: luks (strong encryption)
  Image Path: /home/test1.home

Setup: SSH Login

Warning! Using SSH with encrypted HOME causes 2 chicken and egg problems:

User must always login with password first to unlock encrypted home
SSH has issue to access public keys in encrypted home

Only later problem is solved simply by adding public ssh keys to user database (they are public so there is no security issue adding them to public database). Unfortunately it means that to login with SSH you must always enter password first (to unlock encrypted home). You can follow with SSH public authentication, but there is no way to avoid initial password authentication.

I recommend to start copying your SSH key using standard command:
```
ssh-copy-id -i ~/.ssh/keys/my_key.pub test1@HOST
```
first login normally with password, for example using ssh test1@FQDN
then I did:

test1$ homectl update test1 --ssh-authorized-keys="@$HOME/.ssh/authorized_keys"
# or you can load your authorized_keys by prefixing path with '@'

Warning! I was asked for Password of Local user logged to GNOME (in my case ansible) - not asked for Password of user test1 (!)

Next you can login to target with SSH and Key but remember that you must always pass also user's password - to unlock LUKS.

Tip: To dump your SSH public keys on target use:

test1$ homectl inspect -E | jq '.privileged.sshAuthorizedKeys'

Troubleshooting

Shrinking user's home:

I had disk nearly full (test1 home was 9GB or so)
I shrink it as root with this command:

$ homectl resize test1 5G

- Please enter password for user test1: ***

Note: that you have to specify test1 user's password to unlock its filesystem so it can be resized (in my case BTRFS that supports shrinking out-of-the-box).