Systemd-Homed Is Merged And It Will Fundamentally Change Linux Home Directories
Lennart Poettering has been working on a fundamentally new way of managing home directories the last six months. The result, called systemd-homed, is now merged into the main systemd git tree. It will fundamentally change how we look at user security, user data and home directories. Linux distributions will be able give each user a secure encrypted personal home directory container with all the user data, metadata and system permission once systemd 245 is released. They won't, adoption will take time. And it will very likely be adopted and be the standard way of managing home directories ten years from now.
written by 林慧 (Wai Lin). published 2020-02-04 - last edited 2020-02-16
Imagine having a USB stick with an encrypted container containing all your files, your desktop settings and all the data relevant to your user account. Plug it into a laptop, any Linux laptop, and it is instantly recognized as a regular system account. Enter your password and bham, you got the same desktop you have at home or at work.. with a few exceptions: The random laptop will not let you
sudo or do anything else which requires system administrative privileges. Plug the same stick into your home computer and you can because that machines recognizes the USB stick as one which belongs to a privileged account on that machine.
Lennart Poettering presented this idea at the "All Systems Go" conference in Berlin in September 2019. He has been working on it ever since and the result is systemd-homed. His personal systemd-homed git tree, with more than 20k lines of code, is now merged into the mainline systemd tree. It will be a part of systemd in the upcoming systemd 245 release.
systemd-homed is not just about home directories on USB sticks. It can be used to handle all home directories, local or remote, in a better and more manageable way.
What Systemd-Homed Brings To The Table
Encrypted folders are not new, most Linux distributions have had support for full disk encryption using LUKS for quite some time. It works. It's fine. But it does have some slight problems. Full disk encryption means that the encryption password, the only important password when it comes to protecting your data, has to be known by everyone who is using a computer on a regular basis. Encrypting each user's home directory with a personal key is a fundamentally far better and more logical approach.
Suspending computers to RAM is also an issue when full disk encryption is used since the encryption keys are kept in RAM while the machine is sleeping. Suspending to disk (hibernating) instead of RAM does solve that one. Most do not use that solution either because both suspending and restoring the system takes longer or because they are unaware that cold-boot attacks are a very real threat to cryptographic security. systemd-homed solves the suspend to RAM case by unmounting home directories before the machine suspends to RAM.
The ability to easily move home directories around is another clear advantage. This is not just handy if you want your /home/you on a USB stick, it is also very handy when you buy a new computer.
There's also support for remote CIFS mounted directories built right into systemd-homed. Those who administer a large number of computers within an organization will likely find those aspects of it to be very appealing.
The Long Road To Widespread Adoption
systemd-homed will fundamentally change the way we look at and work with home directories. Change is very scary, so there will be resistance and plenty of it.
systemd-homed will, like most systemd components, be entirely optional. Linux distributions can take it and use it for home directory management - or not. The advantages of using the systemd-homed technology are significant so there is a fair chance it will see wide adoption over time.
Very few, if any, Linux distributions will jump on it when systemd 245 is released. There are still a lot of problems to be solved. Current desktop environments and applications do not handle
$HOME disappearing and re-appearing from beneath them. Adding that support to a wide range of desktop applications will take time.
Most of the larger distributions will probably adopt systemd-homed within a few years. A few smaller ones, namely those who already proudly make a point of being systemd-free, will reject it. Those who don't like the idea can use those.
The features and value systemd-homed can add are such that it is very likely that we will see it as a standard way of managing home directories and take it for granted ten years from now. It is simply more practical and a lot more convenient than the way we currently handle home directories on Linux systems.