Systemd-Homed Is Merged And It Will Fundamentally Change Linux Home Directories

From LinuxReviews
Jump to navigationJump to search
User-home.svg

Lennart Poettering has been working on a fundamentally new way of managing home directories the last six months. The result, called systemd-homed, is now merged into the main systemd git tree. It will fundamentally change how we look at user security, user data and home directories. Linux distributions will be able give each user a secure encrypted personal home directory container with all the user data, metadata and system permission once systemd 245 is released. They won't, adoption will take time. And it will very likely be adopted and be the standard way of managing home directories ten years from now.

written by 林慧 (Wai Lin). published 2020-02-04last edited 2020-02-16

Cloudfather 2006-07-21.jpg

Imagine having a USB stick with an encrypted container containing all your files, your desktop settings and all the data relevant to your user account. Plug it into a laptop, any Linux laptop, and it is instantly recognized as a regular system account. Enter your password and bham, you got the same desktop you have at home or at work.. with a few exceptions: The random laptop will not let you sudo or do anything else which requires system administrative privileges. Plug the same stick into your home computer and you can because that machines recognizes the USB stick as one which belongs to a privileged account on that machine.

Lennart Poettering presented this idea at the "All Systems Go" conference in Berlin in September 2019. He has been working on it ever since and the result is systemd-homed. His personal systemd-homed git tree, with more than 20k lines of code, is now merged into the mainline systemd tree. It will be a part of systemd in the upcoming systemd 245 release.

systemd-homed is not just about home directories on USB sticks. It can be used to handle all home directories, local or remote, in a better and more manageable way.

What Systemd-Homed Brings To The Table

Encrypted folders are not new, most Linux distributions have had support for full disk encryption using LUKS for quite some time. It works. It's fine. But it does have some slight problems. Full disk encryption means that the encryption password, the only important password when it comes to protecting your data, has to be known by everyone who is using a computer on a regular basis. Encrypting each user's home directory with a personal key is a fundamentally far better and more logical approach.

Suspending computers to RAM is also an issue when full disk encryption is used since the encryption keys are kept in RAM while the machine is sleeping. Suspending to disk (hibernating) instead of RAM does solve that one. Most do not use that solution either because both suspending and restoring the system takes longer or because they are unaware that cold-boot attacks are a very real threat to cryptographic security. systemd-homed solves the suspend to RAM case by unmounting home directories before the machine suspends to RAM.

The ability to easily move home directories around is another clear advantage. This is not just handy if you want your /home/you on a USB stick, it is also very handy when you buy a new computer.

There's also support for remote CIFS mounted directories built right into systemd-homed. Those who administer a large number of computers within an organization will likely find those aspects of it to be very appealing.

The Long Road To Widespread Adoption

systemd-homed will fundamentally change the way we look at and work with home directories. Change is very scary, so there will be resistance and plenty of it.

systemd-homed will, like most systemd components, be entirely optional. Linux distributions can take it and use it for home directory management - or not. The advantages of using the systemd-homed technology are significant so there is a fair chance it will see wide adoption over time.

Very few, if any, Linux distributions will jump on it when systemd 245 is released. There are still a lot of problems to be solved. Current desktop environments and applications do not handle $HOME disappearing and re-appearing from beneath them. Adding that support to a wide range of desktop applications will take time.

Most of the larger distributions will probably adopt systemd-homed within a few years. A few smaller ones, namely those who already proudly make a point of being systemd-free, will reject it. Those who don't like the idea can use those.

The features and value systemd-homed can add are such that it is very likely that we will see it as a standard way of managing home directories and take it for granted ten years from now. It is simply more practical and a lot more convenient than the way we currently handle home directories on Linux systems.


avatar

Anonymous user #1

16 days ago
Score 0++
You can use full disk encryption and have many unique passwords unlocking it. You don't need to have a shared password for the whole family, everyone can have their own machine and login passwords. Just use cryptsetup luksAddkey to add more passwords when needed.
avatar

WaiLin

16 days ago
Score 0++
Yes, you can do that, but it is quite pointless. You can make 10 keys for your front doors lock and color-code them and hand them out to family members, you don't have to share one key with your entire family. A potential issue with that is that everyone with a key to the house is free to roam around in any and all rooms once their in. That is essentially what you get with shared full disk encryption. The disk encryption key is the same for all passwords added with luksAddkey. Giving everyone their unique password doesn't really solve anything.
avatar

Anonymous user #2

15 days ago
Score 0++

Having one key to your house doesn't stop a bad person from running up behind and hitting you over the head after you unlock the door.

This doesn't stop attackers from getting access to your home directory if they really want to, they just have to go about it a different way.

The goal should be to protect the WHOLE system, not just the home directory. But that will probably be the next step in the GNU/Linux take over "rootD"
avatar

Anonymous user #3

14 days ago
Score 0++

> Change is very scary, so there will be resistance and plenty of it.

That's not why there is resistance!
avatar

Anonymous user #3

7 days ago
Score 0++

systemctl mask homed

enjoy a normal home directory

that was so hard
Add your comment
LinuxReviews welcomes all comments. If you do not want to be anonymous, register or log in. It is free.