My laptop isn’t under my supervision most of the time. And I’d hate it if someone were to steal my SSD, or whole laptop even, when I’m not around. Is there a way to encrypt everything, but still keep the device in sleep, and unclock it without much delay. It’s a very slow laptop. So decryption on login isn’t viable, takes too long. While booting up also takes forever, so it needs to be in a “safe” state when simply logged out. Maybe a way that’s decrypt-on-demand?

I’m on Arch with KDE.

    • @[email protected]OP
      link
      fedilink
      22 months ago

      Sounds perfect. I’ll need more sources to understand what it’s doing and how to config it. Thanks!

      • @[email protected]
        link
        fedilink
        22 months ago

        Systemd has a good guide on how to use it https://systemd.io/HOME_DIRECTORY/

        And they also have a guide on migrating a traditional user home to this. Do remember to take backups if going this route https://systemd.io/CONVERTING_TO_HOMED/

        I personally used the arch wiki when I set it up https://wiki.archlinux.org/title/Systemd-homed

        There is not much config.

        I think the command I used for my laptop was:

        homectl create <name> --storage=luks --shell=/usr/bin/fish --member-of=wheel
        

        https://wiki.archlinux.org/title/Systemd-homed#Creation

        Gnome is working on a gui for this, but it will probably be a while until that is out. I feel like it is pretty safe to use the cli for this one.

        • @[email protected]OP
          link
          fedilink
          22 months ago

          Okay I just had a bit of freetime to test it: doesn’t work… if I log out or sleep, my home dir is still mounted. Meaning it’s as good as nothing. Looked at the plasma fix, didn’t work. I have a pretty good lead, that I need the topmost template from some wiki:

          [Unit]
          PartOf=graphical-session.target
          

          Problem is, where in the world should I write this? I really don’t expect you to know, but maybe I’m talking to a genius. The internet didn’t help, or I used it wrong.

          • @[email protected]
            link
            fedilink
            12 months ago

            The template is supposed to be something that you put in your own systemd services. plasma-kwin_x11.service and plasma-kwin_wayland.service both already have it.

            If I have to guess, it is probably a bug that will get fixed sometime in the future, meaning this is not a viable solution until then. Sorry for that.

            Just as a last bit of troubleshooting, check if cat ~/.config/startkderc shows systemBoot = true. If it does not, run kwriteconfig6 --file startkderc --group General --key systemdBoot true. I doubt this will change much, but still worth trying.

            If I get some free time, I will do some testing and let you know here

            • @[email protected]OP
              link
              fedilink
              22 months ago

              cat ~/.config/startkderc returns systemdBoot=true. I’m guessing you made a typo and this is correct. In this case I guess it just doesn’t work on KDE, my next idea is LUKS on /home and hibernating instead of sleeping. Or I always wanted to try a tiling window manager… hm

              • @[email protected]
                link
                fedilink
                22 months ago

                systemdBoot is supposed to be true, not a typo. But yeah, I don’t use plasma much so I don’t really know how to solve the issue… Sorry for that!

                • @[email protected]OP
                  link
                  fedilink
                  22 months ago

                  No problem, thanks for the help. Also I got news is that I don’t have to trust anyone with my laptop, I can keep it by my side after all. Still it’s a security mesure, that I didn’t solve in time. fun fact: LUKS on /home only breaks KDE. I really don’t want to give up kde tho, I put on sway, realised that I needed to memorise console commands to change my fking volumes, so no thank you. I got spoiled by sweet UIs. it’s so comfortable that everything is at one place.

        • @[email protected]OP
          link
          fedilink
          2
          edit-2
          2 months ago

          Hehe, Thank you. But by the time I’m reading this I’ve already done it. Got stuck on a couple or roadblocks, but figured it out. I got scared when I didn’t “enable” the service just “start” it. I’m not safe(-ish enough). :D

          edit: well not the plasma fix. wiki said if it’s a problem I need to start something, and that something should be on by default. So I didn’t do anything, maybe that’s a problem