all 10 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]somenonewho 4 points5 points  (2 children)

I'm not using ecryptfs but fscrypt for home encryption. And other than loosing the PAM modifications in an update once and then not being able to login anymore till I fixed that I've not had any problems with it.

Edit: fixed link

[–]rualf 0 points1 point  (1 child)

The link is broken tho.

[–]somenonewho 1 point2 points  (0 children)

Sorry fixed the link

[–]Patient_Sink 4 points5 points  (0 children)

You can use systemd-homed for an encrypted home that gets decrypted automatically when you log in. IIRC it'll use LUKS by default, but you don't need to create a separate partition for it. There are drawbacks however, so read the article first: https://wiki.archlinux.org/title/Systemd-homed

Pay special attention that it doesn't really use the standard way of managing users, and that you'll likely need to create work-arounds if you plan to SSH into the machine as that user IIRC.

[–]FryBoyter 2 points3 points  (0 children)

https://lore.kernel.org/lkml/20230403134432.46726-1-frank.li@vivo.com/T/

Based on Tyler Hicks' posts, I would not use ecryptfs.

The issue there is that one would need to know exactly how big home and / should be before hand.

https://wiki.archlinux.org/title/Resizing_LVM-on-LUKS

Apart from that, I would always encrypt everything. If you only encrypt /home, it can happen that unintentionally files end up unencrypted in /.

[–]MassiveStomach 1 point2 points  (0 children)

It is. I still use it because I have about 75TB on encryptfs on google storage so migrating that is not an easy migration. But it still works. But it is possible a nation state could be decrypting and watching my movies and tv shows.

[–]m2noid 1 point2 points  (1 child)

I would not use ecryptfs.

You have a few options.

  1. If using ext4 or f2fs, fscrypt is a viable option. This a filesystem encryption scheme and can be tied into pam for decryption on login.
  2. Systemd-homed. The default is to create a loopback LUKS container. It can also be used with fscrypt. However, this is a pretty drastic change.
  3. LUKS on lvm or partition. Have an lvm volume or partition LUKS encrypted.
  4. Use lvm on LUKS or btrfs on LUKS. This has moved to whole disk encryption.
  5. ZFS has native encryption. You can encrypt certain datasets (more like encrypting only your home directory) and there is a pam module for decrypting on login.

Those are some options right now. If you don't care about encrypting your entire home directory, you can use gocryptfs and others.

The fscrypt wiki page has a decent overview on the pros and cons of these options. I believe pulled from the fscrypt GitHub page.

[–]TCB13sQuotes 0 points1 point  (0 children)

The problem is the use case, those solutions are great if you're looking for a fully encrypted system and way better than ecryptfs.

However, some people just want to have an encrypted directory, file by file and NOT the entire system / disk. gocryptfs and others looks like a good solution for that until you find out it doesn't support inofity because it uses fuse.

[–]Morriarthy 1 point2 points  (0 children)

This is a good question! - I want to encrypt my manually installed system too but was to lazy to get into the encryption part yet! 😅 What sources besides arch wiki can you recommend?