Red Hat Bugzilla – Bug 1438413
Add option to encrypt a user's home directory
Last modified: 2017-11-10 02:24:55 EST
Description of problem: Currently it's only possible to enable full disk encryption when installing Fedora. An option to encrypt only the user's home directory would be helpful for workstations with multiple user accounts. Additional info: A guide how to manually encrypt the home directory in Fedora: https://cloud-ninja.org/2014/04/05/fedora-encrypting-your-home-directory/ How Ubuntu does this: https://www.howtogeek.com/wp-content/uploads/2012/06/ximage83.png.pagespeed.gp+jp+jw+pj+ws+js+rj+rp+rw+ri+cp+md.ic.Q3l_7oXwbw.png
I think I also saw OpenSUSE having this feature. It's worth mentioning because OpenSUSE is also RPM-based and thus similar to Fedora.
This is window-dressing at best.... The security improvements are almost zero. Having an unencrypted / unprotected root partition means data can be exfiltrated easily by any method with root access - including being set up via a live USB image to copy all data that *was* encrypted to an unencrypted location when the user unlocks their home directory. Looks like a good idea on paper (or screenshots), but is useless in providing any type of real protection.
The same is true for full disc encryption though: If someone can boot into a live USB image he could also replace the bootloader so that it sends the password over the internet. Furthermore nobody said this this method can't be used in addition to encrypted /.
Right now you can encrypt your specified partition in custom partitioning or in blivet-gui. That means you have 2 installation methods how to encrypt only your home. This can of course be added to the autopart option too, however, it is really not a priority because it is already doable by other methods. So or so, thanks for the idea we will get back to it in future. Jirka