The goal is to have an encrypted home partition (using Luks), with the OS and swap not being encrypted. Under Leap 15.6 this was easy at install time.
With Leap 16.0, encryption seems to be “all or nothing” i.e. it can be on or off, but cannot be used for some partitions but not others. At least I could not see how to do it.
So I installed without encryption, then created the encrypted partition and changed the /home mount in fstab to the new (encrypted) partition after installation. However, I could not then login at all with KDE, and in console mode I received the error message:
permission denied, logging in with home "/"
I was then logged in, and I could access the /home/user directory fine.
In the end, I re-installed Leap, created a separate encrypted partition and then re-installed mounting the home partition to the previously-created encrypted partition!But having to install twice over seems wrong.
So, my questions are:
Can the goal be achieved with a single installation, rather than the somewhat messy way I did it in the end?
Why was I unable to change the mount location of /home, and why did I get the above error message? I have done this before many times on previous versions of Leap and it’s worked fine. Could this error be something to do with SE-Linux?
In Leap 16, you need to use Custom Partitioning in the Agama installer: Create / and swap as unencrypted partitions. Create a LUKS-encrypted partition and mount it as /home.
More info:
You shouldn’t just move or encrypt /home after installation because PAM checks the user’s home directory at login. If the encrypted partition wasn’t mounted and unlocked when KDE tried to start the session, login would fail with the error message you described.
If doing it post-install, make sure the LUKS partition is added to /etc/crypttab, mounted at /home before login, and that all user directories have correct ownership.
The luks partition was indeed in crypttab and I was prompted for the password at boot. The container /dev/mapper/name was then mounted in fstab at /home - but the problem persisted.
In terms of permissions, /home was 555 and /home/user 700