My laptop isn’t under my supervision most of the time. And I’d hate it if someone were to steal my SSD, or whole laptop even, when I’m not around. Is there a way to encrypt everything, but still keep the device in sleep, and unclock it without much delay. It’s a very slow laptop. So decryption on login isn’t viable, takes too long. While booting up also takes forever, so it needs to be in a “safe” state when simply logged out. Maybe a way that’s decrypt-on-demand?

I’m on Arch with KDE.

    • thepiguy@lemmy.ml
      link
      fedilink
      arrow-up
      2
      ·
      4 months ago

      Systemd has a good guide on how to use it https://systemd.io/HOME_DIRECTORY/

      And they also have a guide on migrating a traditional user home to this. Do remember to take backups if going this route https://systemd.io/CONVERTING_TO_HOMED/

      I personally used the arch wiki when I set it up https://wiki.archlinux.org/title/Systemd-homed

      There is not much config.

      I think the command I used for my laptop was:

      homectl create <name> --storage=luks --shell=/usr/bin/fish --member-of=wheel
      

      https://wiki.archlinux.org/title/Systemd-homed#Creation

      Gnome is working on a gui for this, but it will probably be a while until that is out. I feel like it is pretty safe to use the cli for this one.

      • UnRelatedBurner@sh.itjust.worksOP
        link
        fedilink
        arrow-up
        2
        ·
        4 months ago

        Okay I just had a bit of freetime to test it: doesn’t work… if I log out or sleep, my home dir is still mounted. Meaning it’s as good as nothing. Looked at the plasma fix, didn’t work. I have a pretty good lead, that I need the topmost template from some wiki:

        [Unit]
        PartOf=graphical-session.target
        

        Problem is, where in the world should I write this? I really don’t expect you to know, but maybe I’m talking to a genius. The internet didn’t help, or I used it wrong.

        • thepiguy@lemmy.ml
          link
          fedilink
          arrow-up
          1
          ·
          4 months ago

          The template is supposed to be something that you put in your own systemd services. plasma-kwin_x11.service and plasma-kwin_wayland.service both already have it.

          If I have to guess, it is probably a bug that will get fixed sometime in the future, meaning this is not a viable solution until then. Sorry for that.

          Just as a last bit of troubleshooting, check if cat ~/.config/startkderc shows systemBoot = true. If it does not, run kwriteconfig6 --file startkderc --group General --key systemdBoot true. I doubt this will change much, but still worth trying.

          If I get some free time, I will do some testing and let you know here

          • UnRelatedBurner@sh.itjust.worksOP
            link
            fedilink
            arrow-up
            2
            ·
            4 months ago

            cat ~/.config/startkderc returns systemdBoot=true. I’m guessing you made a typo and this is correct. In this case I guess it just doesn’t work on KDE, my next idea is LUKS on /home and hibernating instead of sleeping. Or I always wanted to try a tiling window manager… hm

            • thepiguy@lemmy.ml
              link
              fedilink
              arrow-up
              2
              ·
              4 months ago

              systemdBoot is supposed to be true, not a typo. But yeah, I don’t use plasma much so I don’t really know how to solve the issue… Sorry for that!

              • UnRelatedBurner@sh.itjust.worksOP
                link
                fedilink
                arrow-up
                2
                ·
                4 months ago

                No problem, thanks for the help. Also I got news is that I don’t have to trust anyone with my laptop, I can keep it by my side after all. Still it’s a security mesure, that I didn’t solve in time. fun fact: LUKS on /home only breaks KDE. I really don’t want to give up kde tho, I put on sway, realised that I needed to memorise console commands to change my fking volumes, so no thank you. I got spoiled by sweet UIs. it’s so comfortable that everything is at one place.

      • UnRelatedBurner@sh.itjust.worksOP
        link
        fedilink
        arrow-up
        2
        ·
        edit-2
        4 months ago

        Hehe, Thank you. But by the time I’m reading this I’ve already done it. Got stuck on a couple or roadblocks, but figured it out. I got scared when I didn’t “enable” the service just “start” it. I’m not safe(-ish enough). :D

        edit: well not the plasma fix. wiki said if it’s a problem I need to start something, and that something should be on by default. So I didn’t do anything, maybe that’s a problem