systemd-homed is a new and fundamentally different way of handling home directories on Linux. The idea is to make each users home directory a self-contained (encrypted) container with all user-related configuration files unified into 1 file. This make migration between, say, 2 laptop machines real easy on the system level. It was first announced at the "All Systems Go" conference in Berlin in September, 2019. It was merged into the systemd source tree in January 2020 and it will be included in systemd version 245.
Lennart Poettering Presents Systemd-Homed At All Systems Go
Lennart Poettering explaining the ideas behind systemd-homed at the All Systems Go conference in Berlin in September, 2019.
systemd-homed is developed in a separate git tree at github.com/poettering/systemd/tree/homed. That tree was merged into the mainline systemd repository late January 2020 with a large pull of more than 20k lines of code.
systemd-homed will be available in systemd 245 when it is released (there is no set date or timeline for its release).
systemd-homed is centered around encrypted home directory containers which can, in principle, be easily moved from one machine to another. The container password will, in configurations using systemd-homed, also be the user login password.
All user-specific records are stored within a JSON formatted file called
~/.identity which is cryptographically signed with a key out of the users control. The idea is to have a file with system-managed settings within the home directory. A lot of user-related records are currently stored outside the home directory in a number of different places, mostly within
/etc/. systemd-homed aims to consolidate all the different user-related settings within
Encrypted Home Directory Containers
systemd-homed will support two kinds of encrypted home directories: fscrypt encrypted and LUKS encrypted.
Users will be able to make USB sticks with LUKS encrypted home directory containers and have all files and system-allowed settings available when they plug it into a new machine. The way
~/.identity is cryptographically signed by host systems ensures that a you can't just show up and claim to have
systemd-homed supports a complete unmount of encrypted home directories when a machine suspends to RAM. This is specially useful for laptop computers who are typically configured to either suspend or hibernate when the laptop lid is closed. Hibernating to disk will remove the encryption key from memory. Suspending to RAM keeps the encryption key in RAM - which makes cold boot attacks a very real security issue. The current obvious solution to that problem is to suspend to disk not RAM.
Unencrypted home directories are also supported. Plain locally stored unencrypted home directories will be named
username.homedir on disk when they are not in use. Directories are renamed to
username upon login.
Remote CIFS directories are also supported. Local
~/.identity will, in CIFS setups, have to specify the information necessary to mount the remote home directory when a user logs in.
The systemd-homed utility
homectl is used to interface with the
systemd-homed.service to create, remove, change or inspect home directories
homectl does not manage "classic" UNIX accounts,
useradd should be used for that purpose.
homectl create command can be used to set limits on newly created user accounts. It supports options like
--disk-size= to limit a home directories disk quota,
--tasks-max to limit the number of processes and many other options.
userdbctl is used to inspect the systems users, groups and group memberships
Pitfalls and Problems
Linux assigns UIDs in the order usernames are registered on a machine.
you may get UID
1000 if you are the first user on a laptop and
you could get
1001 on another laptop if you are the second user to be registered there. This poses a problem if you move a home directory container from machine A where you're UID
1000 to machine B where you are
1001. systemd-homed solves this by doing a
chown -R on the entire home directory if there is a conflict. This is a problem if you use groups or run daemons setup to run as different users within your home directory for some reason. Moving a home directory with lots of users and groups from one machine to another would already be problematic for other reasons and very few will have setups like that in moving containers. It is just something to keep in mind in case you feel compelled to or have setup something which will break if a
chown -R is imposed on your home directory.
systemd-homed is managed by
systemd-homed.service and a
pam_systemd_home which notifies systemd-homed when a user logs in or out.
Initial documentation for systemd-homed is available at systemd/docs/HOME_DIRECTORY.md.