Trying to get file-based encryption on a laptop, I stumbled upon a silly bug in Arch or Manjaro, which prevents unlocking of your home directory through PAM on login.

The primary reason for using file-based encryption is that it comes built into f2fs which is a file system designed for eMMC and SSD storage, that comes with a few cool features (encryption using fscrypt, compression, discard), and I wanted to give it a try.

Failure with the “classic PAM” mode made me try #systemd systemd-homed which is a new abstraction layer for managing non-privileged users on #Linux systems, and also happens to support fscrypt as one of the underlying storages. And it works.

The systemd-homed is a daemon integrated with all the other Linux user identity and authentication databases, which manages users and most importantly their home storage in a way that extends the classic /home architecture and most importantly significantly simplifies using other storage systems. As of today these are supported:

LUKS - classic encrypted block device interface primarily used for Linux full-disk encryption; locked container is simply one large, encrypted file or block device;
fscrypt - file-based encryption where directory and file structure is preserved, but all file names, directories, their metadata and contents are encrypted;
directory - simple unencrypted directory on the native filesystem
CIFS - Samba volume mounted somewhere

There are procedures described for migration of an existing user, which is precisely what I’ve done… and it’s working (I’m writing this on Manjaro from an account mounted on a fscrypt home directory). For a regular user this might be a bit of an overkill (as long as the native storage works, ahem…) but it’s certainly interesting if you’re managing systems with large numbers of users.