[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ale] semi OT: systemd-homed

On Thu, Apr 30, 2020 at 02:59:44PM -0400, Boris Borisov via Ale wrote:
> https://www.techrepublic.com/article/linux-home-directory-management-is-about-to-undergo-major-change/

It provides a good alternative to full-disk encrpytion, and makes 
homedirectories fully portable from one system to another.  (Assuming 
nothing hardcodes absolute paths, heh..)  Each user's homedir becomes 
its own encrpyted filesystem, accessible only to them, and not even the 
local admins.  Which is both good and bad; depends on the use case and 
trust model.

(Worth mentioning that LUKS can have parallel admin/fallback keys, so 
 it's really up to how the admins set things up.  The same caveats apply 
 to systemd-homed too..)

So it's a good option to have for single-user systems or multi-user 
systems that are accessed via a "local" login (ie on the console or via 
the likes of full remote sessions ala VNC).  Which I suspect encompasses 
the overwhelming majority of "workstation/desktop" types of use cases.

Consider the UI implications of using encrypted storage; the current 
model presents an all-or-nothing approach, and requires a password or 
other token (which can be the built-in TPM) to be physically present at 
boot. This new approach allows the base system to be [un]encrypted 
independently of the user data, and also prevents any given user from 
being able to decrpyt any other user's data.

Where systemd-homed falls down is on systems/accounts that are accessed 
primarily via ssh (and authenticated via ssh keys) -- ie most server-ish 
use cases.  So it's not some universal pancea.

 - Solomon
Solomon Peachy			      pizza at shaftnet dot org (email&xmpp)
                                      @pizza:shaftnet dot org   (matrix)
High Springs, FL                      speachy (freenode)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://mail.ale.org/pipermail/ale/attachments/20200501/5e114e39/attachment.sig>