Support plain encrypted partition as systemd-homed data source (on GPT-formatted disk)

[gdonval]

Component

homectl, systemd-homed

Is your feature request related to a problem? Please describe

TL;DR: loopback images are awkward and prone to bugs, fscrypt does not support btrfs and leaks metadata, please allow us to use LUKS-encrypted GPT partitions from "anywhere".

Loopback images a not always optimal.

LUKS-enabled loopback image over filesystem (over other `dm` layers, potentially) is wasteful (`dm` stacking) and awkward (e.g. runs into problems when image gets close to underlying partition size). Using an image file has also been proven to be harder to get right than probably initially expected (e.g. resizing alone, albeit a good feature, has been problematic, see #24937, #23967, #23740, #22901, #22255, #22124, #20960, #19398, #17241, #15115, etc.).

fscrypt is not always a good LUKS replacement.

The alternative besides unencrypted folder/subvolume/cifs is encrypted fscrypt.

fscrypt has a few drawbacks, two of the most important being its lack of support for btrfs (which provides snapshots, data/metadata checksumming, send/receive, etc.) and a lack of opacity (individual files can be identified and metadata like extended attributes are not encrypted).

Describe the solution you'd like

In essence, to quote the documentation:

The image contains a GPT partition table. For now it should only contain a single partition, and that partition must have the type UUID 773f91ef-66d4-49b5-bd83-d683bf40ad16. Its partition label must be the user name.

Please relax the "should only contain a single partition" so that any partition with proper GUID and LABEL are treated as valid.

This does solve a very common scenario superbly (system that belongs to one and only one user) while allowing all the neatness of unlocking the home partition only when necessary.

Describe alternatives you've considered

1. LUKS-encrypted /home decrypted at boot time: this is my current setup. Once decrypted, the disk won't be reencrypted until the computer shuts down.
2. Using pam_exec to encrypt/decrypt partition. Complicated solution. Decryption is based on password (no TPM/FIDO2 by default unless coded in). Very bespoke, prone to bugs and update-related problems made worse by all the separate components involved.

The systemd version you checked that didn't have the feature you are asking for

253.1

[poettering]

it should already support that. Just create the partition yourself, and then point homed to it via --image-path=. did you try that?

[gdonval]

I will try over the weekend. Since the documentation stated the GPT-formatted image/block device (in case of USB) "should only contain a single partition", I did not chance it.

I also suspect the code will look for the first partition whose type UUID matches 773f91ef-66d4-49b5-bd83-d683bf40ad16, just failing if it's not correct instead of looking at alternatives. But I'll see when I get around to run that.

[AdelKS]

How different is this issue from #15273 ?

[eumpf0]

I have been trying to achieve the same thing as the OP.
This open MR #25453 should address this, right? There are still requests for changes to it though.

Btw I also think this is a duplicate of #15273.

[poettering]

Let's close this as duplicate of #15273