Systemd-Homed Is Merged And It Will Fundamentally Change Linux Home Directories

From LinuxReviews
Jump to navigationJump to search

Lennart Poettering has been working on a fundamentally new way of managing home directories the last six months. The result, called systemd-homed, is now merged into the main systemd git tree. It will fundamentally change how we look at user security, user data and home directories. Linux distributions will be able give each user a secure encrypted personal home directory container with all the user data, metadata and system permission once systemd 245 is released. They won't, adoption will take time. And it will very likely be adopted and be the standard way of managing home directories ten years from now.

written by 林慧 (Wai Lin) 2020-02-04 - last edited 2020-02-16. © CC BY

Cloudfather 2006-07-21.jpg

Imagine having a USB stick with an encrypted container containing all your files, your desktop settings and all the data relevant to your user account. Plug it into a laptop, any Linux laptop, and it is instantly recognized as a regular system account. Enter your password and bham, you got the same desktop you have at home or at work.. with a few exceptions: The random laptop will not let you sudo or do anything else which requires system administrative privileges. Plug the same stick into your home computer and you can because that machines recognizes the USB stick as one which belongs to a privileged account on that machine.

Lennart Poettering presented this idea at the "All Systems Go" conference in Berlin in September 2019. He has been working on it ever since and the result is systemd-homed. His personal systemd-homed git tree, with more than 20k lines of code, is now merged into the mainline systemd tree. It will be a part of systemd in the upcoming systemd 245 release.

systemd-homed is not just about home directories on USB sticks. It can be used to handle all home directories, local or remote, in a better and more manageable way.

What Systemd-Homed Brings To The Table

Encrypted folders are not new, most Linux distributions have had support for full disk encryption using LUKS for quite some time. It works. It's fine. But it does have some slight problems. Full disk encryption means that the encryption password, the only important password when it comes to protecting your data, has to be known by everyone who is using a computer on a regular basis. Encrypting each user's home directory with a personal key is a fundamentally far better and more logical approach.

Suspending computers to RAM is also an issue when full disk encryption is used since the encryption keys are kept in RAM while the machine is sleeping. Suspending to disk (hibernating) instead of RAM does solve that one. Most do not use that solution either because both suspending and restoring the system takes longer or because they are unaware that cold-boot attacks are a very real threat to cryptographic security. systemd-homed solves the suspend to RAM case by unmounting home directories before the machine suspends to RAM.

The ability to easily move home directories around is another clear advantage. This is not just handy if you want your /home/you on a USB stick, it is also very handy when you buy a new computer.

There's also support for remote CIFS mounted directories built right into systemd-homed. Those who administer a large number of computers within an organization will likely find those aspects of it to be very appealing.

The Long Road To Widespread Adoption

systemd-homed will fundamentally change the way we look at and work with home directories. Change is very scary, so there will be resistance and plenty of it.

systemd-homed will, like most systemd components, be entirely optional. Linux distributions can take it and use it for home directory management - or not. The advantages of using the systemd-homed technology are significant so there is a fair chance it will see wide adoption over time.

Very few, if any, Linux distributions will jump on it when systemd 245 is released. There are still a lot of problems to be solved. Current desktop environments and applications do not handle $HOME disappearing and re-appearing from beneath them. Adding that support to a wide range of desktop applications will take time.

Most of the larger distributions will probably adopt systemd-homed within a few years. A few smaller ones, namely those who already proudly make a point of being systemd-free, will reject it. Those who don't like the idea can use those.

The features and value systemd-homed can add are such that it is very likely that we will see it as a standard way of managing home directories and take it for granted ten years from now. It is simply more practical and a lot more convenient than the way we currently handle home directories on Linux systems.

(one vote)



15 months ago
Score 0++
Yes, you can do that, but it is quite pointless. You can make 10 keys for your front doors lock and color-code them and hand them out to family members, you don't have to share one key with your entire family. A potential issue with that is that everyone with a key to the house is free to roam around in any and all rooms once their in. That is essentially what you get with shared full disk encryption. The disk encryption key is the same for all passwords added with luksAddkey. Giving everyone their unique password doesn't really solve anything.
Add your comment
LinuxReviews welcomes all comments. If you do not want to be anonymous, register or log in. It is free.