systemd-homed
systemd-homed is a new and fundamentally different way of handling home directories on Linux. The idea is to make each users home directory a self-contained (encrypted) container with all user-related configuration files unified into 1 file. This make migration between, say, 2 laptop machines real easy on the system level. It was first announced at the "All Systems Go" conference in Berlin in September, 2019. It was merged into the systemd source tree in January 2020 and it will be included in systemd version 245.
Lennart Poettering Presents Systemd-Homed At All Systems Go[edit]
Lennart Poettering explaining the ideas behind systemd-homed at the All Systems Go conference in Berlin in September, 2019.
Development[edit]
systemd-homed is developed in a separate git tree at github.com/poettering/systemd/tree/homed. That tree was merged into the mainline systemd repository late January 2020 with a large pull of more than 20k lines of code.
systemd-homed will be available in systemd 245 when it is released (there is no set date or timeline for its release).
Features[edit]
systemd-homed is centered around encrypted home directory containers which can, in principle, be easily moved from one machine to another. The container password will, in configurations using systemd-homed, also be the user login password.
All user-specific records are stored within a JSON formatted file called ~/.identity
which is cryptographically signed with a key out of the users control. The idea is to have a file with system-managed settings within the home directory. A lot of user-related records are currently stored outside the home directory in a number of different places, mostly within /etc/
. systemd-homed aims to consolidate all the different user-related settings within ~/.identity
.
Encrypted Home Directory Containers[edit]
systemd-homed will support two kinds of encrypted home directories: fscrypt encrypted and LUKS encrypted.
Users will be able to make USB sticks with LUKS encrypted home directory containers and have all files and system-allowed settings available when they plug it into a new machine. The way ~/.identity
is cryptographically signed by host systems ensures that a you can't just show up and claim to have sudo
privileges.
systemd-homed supports a complete unmount of encrypted home directories when a machine suspends to RAM. This is specially useful for laptop computers who are typically configured to either suspend or hibernate when the laptop lid is closed. Hibernating to disk will remove the encryption key from memory. Suspending to RAM keeps the encryption key in RAM - which makes cold boot attacks a very real security issue. The current obvious solution to that problem is to suspend to disk not RAM.
Unencrypted home directories are also supported. Plain locally stored unencrypted home directories will be named username.homedir
on disk when they are not in use. Directories are renamed to username
upon login.
Remote CIFS directories are also supported. Local ~/.identity
will, in CIFS setups, have to specify the information necessary to mount the remote home directory when a user logs in.
Utilities[edit]
The systemd-homed utility homectl
is used to interface with the systemd-homed.service
to create, remove, change or inspect home directories[1]
homectl
does not manage "classic" UNIX accounts, useradd
should be used for that purpose.
The homectl create
command can be used to set limits on newly created user accounts. It supports options like --disk-size=
to limit a home directories disk quota, --tasks-max
to limit the number of processes and many other options[1].
userdbctl
is used to inspect the systems users, groups and group memberships
[2].
Pitfalls and Problems[edit]
Linux assigns UIDs in the order usernames are registered on a machine. you
may get UID 1000
if you are the first user on a laptop and you
could get 1001
on another laptop if you are the second user to be registered there. This poses a problem if you move a home directory container from machine A where you're UID 1000
to machine B where you are 1001
. systemd-homed solves this by doing a chown -R
on the entire home directory if there is a conflict. This is a problem if you use groups or run daemons setup to run as different users within your home directory for some reason. Moving a home directory with lots of users and groups from one machine to another would already be problematic for other reasons and very few will have setups like that in moving containers. It is just something to keep in mind in case you feel compelled to or have setup something which will break if a chown -R
is imposed on your home directory.
System Services[edit]
systemd-homed is managed by systemd-homed.service
and a pam_systemd_home
which notifies systemd-homed when a user logs in or out.
Documentation[edit]
Initial documentation for systemd-homed is available at systemd/docs/HOME_DIRECTORY.md.
Footnotes[edit]
- ↑ 1.0 1.1 man.linuxreviews.org: homectl.1 manual
- ↑ man.linuxreviews.org: userdbctl.1
Enable comment auto-refresher