Encryption and integrity checking just for /home

Hi everyone,

I’m new to Manjaro, but have been using GNU/Linux for many years, and would like to use Manjaro as my main system from now on.

I would like to set up a system with / in plaintext and /home in ciphertext , encrypted and its integrity checked.

I’m mainly interested in these:

  1. / in plaintext due to performance concerns as I’m using relatively poor hardware. I would also be fine about a clean reinstall (from a trusted installation medium) preserving /home in case my computer is physically accessed by someone I don’t trust.
  2. Encrypted /home (via block devices, stacked filesystems or anything feasible)
  3. Integrity checks for /home .
  4. Portability between various GNU/Linux distributions and across various machines.
    I would like use Manjaro as my main distro , but still be able to mount Manjaro’s /home in other distributions too (I’m planning to keep the bulk of my data in Manjaro’s /home)
  5. High resilience to failures and power outages (which are common here, and I don’t have a UPS).
  6. I do not trust encryption provided by hard disk vendors (as it is generally closed-source, non-portable and may possibly contain backdoors).
  7. Supports resizing with negligible chances of data loss.
  8. High performance and low power consumption even on relatively poor hardware.

I’ve found the following options from Data-at-rest encryption - ArchWiki and many other places:

  1. Encrypt a partition with LUKS , then set up a BTRFS filesystem on top (for integrity checks).
  2. Use gocryptfs. (I don’t know how to automount /home with this)
  3. Use ZFS (I would like to avoid this, due to its relative instability and its licensing).
  4. Use systemd-homed (I would like to avoid this, due to its dependence on systemd and as it is not portable to MX/antiX systems using sysvinit).

I would like to set it up preferably with Manjaro’s GUI installer, or else using the command line.

I would also like to set up autologin along with /home encryption (so that I have to type my password only once).

Please guide me on the most appropriate method(s) for this, and please correct my shortcomings.

I have read related posts on this forum, and have understood that my problem is different from these (though I got many useful tips while reading them):

Solution: Don’t use encryption!

:man_shrugging:

If you don’t really have to have your entire /home encrypted, my experience (on a fairly slow machine) might be of use to you.

I use Veracrypt (from repositories) to encode archives of sensitive info, and leave /home unencrypted for speed. I keep the Veracrypt archives in my ~/Documents and back them up regularly in case the archive is corrupted (which happens rarely in my experience, as if the system crashes, the opened archive is not corrupted). Veracrypt mounts the archives as needed (my preference), or you can automount them. It is reasonably fast to access their contents. I have never tried to resize archives; I just make a new one that’s larger or smaller and copy contents over as necessary.

Hope this helps,

R

1 Like