On 28/11/2023 18:12, Pocket wrote:
Not really looking to encrypt the whole file system. As another project
I want to try making the root filesystem mostly read only.
You may mount a partition encrypted using LUKS2 by providing a
passphrase during initrd stage. It should be more straightforward.
Fscrypt is necessary to allow different secrets to for different
directories, e.g. per user ones.
If your are going to create a portable home directory for a specific
user then you may face a number of issues. *Login* protector is stored
in /.fscrypt, not on the mounted partition, see the fscrypt README.md
file.
Not sure if that is entirely the case, as my above method seems to be
working
*Login* protector used by pam_fscrypt is a different case.
