Bug 757496

Summary: encrypted /home partition should be decrypted at user login
Product: [Fedora] Fedora Reporter: Alexander van Loon <a.vanloon>
Component: anacondaAssignee: Anaconda Maintenance Team <anaconda-maint-list>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: unspecified    
Version: 16CC: anaconda-maint-list, jonathan, seansmith, vanmeeuwen+fedora
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-11-28 20:10:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Alexander van Loon 2011-11-27 13:37:19 UTC
Description of problem:

When I did a fresh installation of F16 I noticed that anaconda offers an option to encrypt not only the system but also specific partitions. Because only my home directory might contain material worth encrypting I decided to order anaconda to encrypt the partition with /home. After proceeding anaconda asked me the following question:

'Choose a passphrase for the encrypted device. You will be prompted for this passphrase during system boot.'

I remember using Kubuntu with an encrypted /home partition. It didn't require me to give a passphrase each time I booted the system, if I'm correct it would decrypt the /home partition when I logged in with my user.

Why can't Fedora do that too? It seems very tedious to give a passphrase every time you boot the system and then give your password to log in with your user account.

After reading this critical article – http://www.linuxbsdos.com/2011/05/09/home-directory-and-full-disk-encryption-in-ubuntu-11-04/ – on how Ubuntu deals with encryption I understand why Fedora does this, but I still think that merely encrypting the home directory is a good compromise between security and ease of use.

Comment 1 Brian Lane 2011-11-28 20:10:19 UTC
/home is shared between multiple users. Some of whom you may not want to give the passphrase to. Mounting /home is a system task, not something that happens per-user login, so it makes sense to prompt for its passphrase while booting.

Comment 2 Sean Smith 2011-12-02 19:51:48 UTC
I believe that this https://help.ubuntu.com/community/EncryptedHome is the behavior that is being requested.  I, too, would like to see this as an option.

Comment 3 Alexander van Loon 2011-12-03 12:19:41 UTC
Yes Sean, that's exactly what I requested intially. But after reading the link I provided in my initial comment I would totally understand if the Fedora developers wouldn't want to implement it, because it's not secure enough.