On Tue, Dec 3, 2019 at 12:05 AM John M. Harris Jr <johnmh(a)splentity.com> wrote:
> It's not just an issue for systemd-homed, this problem applies to any
> user home encryption implementation when the user has not first
> authenticated/unlocked their user home. e.g. if you install with /home
> encrypted in Anaconda, in fact your boot stops at plymouth in the
> initramfs so sshd is thwarted from even starting in the first place;
> and even if GNOME Shell's login were to be enhanced to do this unlock,
> still requires unlock.
That is simply not the case. I don't know what you're referring to with "if
you install with /home encrypted in Anaconda",
Anaconda custom partitioning has a per mount point encryption option.
I can LUKS encrypt only the volume mounted at /home. And if I do this,
startup is inhibited at a plymouth prompt for a passphrase, the same
as if I check the earlier "encrypt my data" option at Destination
Installation - which is the FDE layout.
sshd doesn't startup until after this. You can't ssh into your system
before user home is unlocked. There is at least a chance of this with
systemd-homed even if it's not yet implemented.
or why GNOME Shell would have
anything to ssh, however with Plasma, my desktop environment doesn't have to
be loaded at all in order for me to ssh in.
That's because you are physically present to type in a passphrase
during boot. And that exposes all user data as plaintext too, in the
FDE case. The only thing protecting user data are discretionary access
controls.
The reason for a full desktop environment stack being available at
LUKS unlock time has to do with various UX problems with the much more
limited initramfs+plymouth environment. This is elaborated on in the
Workstation WG issue I referenced. An open question is to what degree
we run into those same kinds of problems with remote login.
> Basically you have to choose between user home security (or more
> specifically privacy) and remote logins. However, there are some ideas
> that could possibly work around this, to varying degrees of
> inelegance, which I'll gratuitously copy from a related Workstation WG
> issue [1].
You really don't. It's pretty much there by default, and there's not a lot
that I have to change from a default Plasma install. Doing an Anaconda guided
LVM full disk encryption setup is sufficient to protect data at rest.
It's a valid argument that when a user is not logged in, their data
should be at rest and encrypted. systemd-homed is one possible way to
address that, not necessarily the only way, but for sure the current
options in the installer don't address it.
--
Chris Murphy