Hi! I want to try out fedora workstation in the near future (once 39 is out) and was wondering if systemd-homed is ready for everyday use yet.

I’m a bit paranoid and really need my private data encrypted. However, I don’t think that full disk encryption is practical for my daily use. Therefore I was really looking forward to the encryption possibilities of systemd-homed.

However, after reading up on it, I was a bit discouraged. AFAIK, there’s no option to setup systemd-homed at installation (of fedora). I was an Arch then Manjaro, then Endeavour user for years but don’t have the time/patience anymore to configure major parrts of my system anymore. Also, the documentation doesn’t seem too noob-friendly to me, which also plays into the time/patience argument.

Is it ready? Can anyone seriously recommend it for a lazy ex-Arch user who doesn’t want to break another linux installation?

Thank you in advance. :)

  • wildbus8979@sh.itjust.works
    link
    fedilink
    arrow-up
    4
    ·
    edit-2
    1 year ago

    I don’t think you understand the TPM chain, there is absolutely value in validating that the firmware, bootloader, kernel, and initramfs haven’t changed and not decrypt the disk if they have. That’s what the TPM does, it doesn’t just store a key, it calculates it.

    Obviously, the optimal setup is TPM calculation + passphrase, which completely avoids decrypting the drive if some compromise, or modification, happened somewhere in the bootchain, or if the disk is taken out of the computer.

    • michaelrose@lemmy.ml
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      I never suggested there wasn’t value in the TPM for anyone although I think such validation has small value for most folks use case. Normal users are worried about theft of laptop by criminals not spies bugging their machine. I suggested that any configuration without a passphrase was inherently insecure.

      It’s not an “optimal setup” its the only setup that makes even the slightest sense because the alternative configuration can be defeated by a smart 12 year old with access to google.