On Mi, 04.12.19 03:12, John M. Harris Jr (johnmh@xxxxxxxxxxxxx) wrote: > I don't see how redefining "at rest" is useful here. Especially because, I > can't imagine a time where my user isn't logged in in one way or another, or a > user that has permissions to enter my home directory is logged in. Further, > when one of their cron jobs run, or a systemd user service runs, would that > use a cached key to unlock their home directory? in systemd-homed cronjobs can't run as long as you aren't logged in. If you are logged in all is good and they run as they traditionally did, but if you aren't logged in then the LUKS volume is locked and there's no password available from cron we could use to unlock the volume. It's a feature not a bug though: systemd-homed gives you much stronger security guarantees: as long as you are present on the device the device has can access the data on behalf of you. But as soon as you leave (by logging out or suspending the machine) the data as locked and the keys removed from memory so that access is logically impossible. (One thinkable extension of homed's current model btw is to support logind lingering by asking for the user pw using plymouth. this would then mean you'd be asked to unlock your user during early boot like as with classic disk encryption, and then it remains unlocked for the entire lifetime of the system. But I am not sure it's worth it, if you are happy with such a much weaker model you might as well use regular full disk encryption and have the home dirs themselves just be plain directories) Lennart -- Lennart Poettering, Berlin _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
