My laptop isn’t under my supervision most of the time. And I’d hate it if someone were to steal my SSD, or whole laptop even, when I’m not around. Is there a way to encrypt everything, but still keep the device in sleep, and unclock it without much delay. It’s a very slow laptop. So decryption on login isn’t viable, takes too long. While booting up also takes forever, so it needs to be in a “safe” state when simply logged out. Maybe a way that’s decrypt-on-demand?

I’m on Arch with KDE.

  • thepiguy@lemmy.ml
    link
    fedilink
    arrow-up
    2
    ·
    3 months ago

    Systemd has a good guide on how to use it https://systemd.io/HOME_DIRECTORY/

    And they also have a guide on migrating a traditional user home to this. Do remember to take backups if going this route https://systemd.io/CONVERTING_TO_HOMED/

    I personally used the arch wiki when I set it up https://wiki.archlinux.org/title/Systemd-homed

    There is not much config.

    I think the command I used for my laptop was:

    homectl create <name> --storage=luks --shell=/usr/bin/fish --member-of=wheel
    

    https://wiki.archlinux.org/title/Systemd-homed#Creation

    Gnome is working on a gui for this, but it will probably be a while until that is out. I feel like it is pretty safe to use the cli for this one.

    • UnRelatedBurner@sh.itjust.worksOP
      link
      fedilink
      arrow-up
      2
      ·
      2 months ago

      Okay I just had a bit of freetime to test it: doesn’t work… if I log out or sleep, my home dir is still mounted. Meaning it’s as good as nothing. Looked at the plasma fix, didn’t work. I have a pretty good lead, that I need the topmost template from some wiki:

      [Unit]
      PartOf=graphical-session.target
      

      Problem is, where in the world should I write this? I really don’t expect you to know, but maybe I’m talking to a genius. The internet didn’t help, or I used it wrong.

      • thepiguy@lemmy.ml
        link
        fedilink
        arrow-up
        1
        ·
        2 months ago

        The template is supposed to be something that you put in your own systemd services. plasma-kwin_x11.service and plasma-kwin_wayland.service both already have it.

        If I have to guess, it is probably a bug that will get fixed sometime in the future, meaning this is not a viable solution until then. Sorry for that.

        Just as a last bit of troubleshooting, check if cat ~/.config/startkderc shows systemBoot = true. If it does not, run kwriteconfig6 --file startkderc --group General --key systemdBoot true. I doubt this will change much, but still worth trying.

        If I get some free time, I will do some testing and let you know here

        • UnRelatedBurner@sh.itjust.worksOP
          link
          fedilink
          arrow-up
          2
          ·
          2 months ago

          cat ~/.config/startkderc returns systemdBoot=true. I’m guessing you made a typo and this is correct. In this case I guess it just doesn’t work on KDE, my next idea is LUKS on /home and hibernating instead of sleeping. Or I always wanted to try a tiling window manager… hm

          • thepiguy@lemmy.ml
            link
            fedilink
            arrow-up
            2
            ·
            2 months ago

            systemdBoot is supposed to be true, not a typo. But yeah, I don’t use plasma much so I don’t really know how to solve the issue… Sorry for that!

            • UnRelatedBurner@sh.itjust.worksOP
              link
              fedilink
              arrow-up
              2
              ·
              2 months ago

              No problem, thanks for the help. Also I got news is that I don’t have to trust anyone with my laptop, I can keep it by my side after all. Still it’s a security mesure, that I didn’t solve in time. fun fact: LUKS on /home only breaks KDE. I really don’t want to give up kde tho, I put on sway, realised that I needed to memorise console commands to change my fking volumes, so no thank you. I got spoiled by sweet UIs. it’s so comfortable that everything is at one place.

    • UnRelatedBurner@sh.itjust.worksOP
      link
      fedilink
      arrow-up
      2
      ·
      edit-2
      3 months ago

      Hehe, Thank you. But by the time I’m reading this I’ve already done it. Got stuck on a couple or roadblocks, but figured it out. I got scared when I didn’t “enable” the service just “start” it. I’m not safe(-ish enough). :D

      edit: well not the plasma fix. wiki said if it’s a problem I need to start something, and that something should be on by default. So I didn’t do anything, maybe that’s a problem