Userdata Encryption

Gardenhouse allows two ways of encrypting user data:

• Full USERDATA encryption - Encrypt the full USERDATA partition
• Per user home encryption - Encrypt each users home directory with the user password

USERDATA

This method allows for decryption with clevis for automatic TPM2 decryption. The entire mutable part of gardenhouse is encrypted, this includes /var, /etc and /home

No extra configuration is required in the Gardenhouse profile to enable this. Except for clevis decryption, in which case clevis will have to be installed.

Gardenhouse will automatically discover and decrypt the luks volume with label USERDATA. It may be generated with the following command:

root#cryptsetup luksFormat --label USERDATA /dev/<disk>

Home

This method uses gocryptfs and pam_mount to mount /home/<user>.crypt on login, and unmount it on logout.

To enable it the global homecrypt USE flag should be set. A gocryptfs volume can then be created by running:

root#homecrypt_adduser <username>