Skip to content(if available)orjump to list(if available)

Converting Existing Users to systemd-homed

Converting Existing Users to systemd-homed

23 comments

·August 3, 2025
Visit

WCSTombs

> With the advent of systemd-homed it might be desirable to convert an existing, traditional user account to a systemd-homed managed one.

As someone unfamiliar with systemd-homed, I have a very basic question: why would someone want (or not want) to do this?

ocdtrekkie

Based on... a web search: https://wiki.archlinux.org/title/Systemd-homed

The big thing appears to be moving the user metadata into the home directory itself rather than it being around the system, and enabling home folder encryption, which has been like... a single button press feature on Windows since like Windows XP. Sounds like a step forward.

yjftsjthsd-h

I'm slightly confused. I understand the appeal to putting user configuration inside the home directory, and I definitely approve of encrypting each home directory individually, but doesn't doing both of them together mean that you can't read the user data until it's been decrypted?

0xCMP

The encrypted volume has an encrypted copy of the `~/.identity` file in it's metadata fields.

The same key which encrypts the volume decrypts the metadata, but they use different IVs.

You could assume that most systems the key would be secured with the TPM so this won't be much of a big deal to the user, but otherwise when they try to login it would prompt for this password first.

themafia

The continued pathology of systemd.

You can't use d-bus for this because d-bus isn't available early enough, relies on user accounts, and can't enumerate through large sets of objects with optional filtering they had to create and invoke the completely separate "Varlink." Which is _closer_ to the traditional Unix/Plan9 service model without actually achieving it meaningfully.

The infamous part of d-bus, that it helps inject arbitrary binary payloads into existing text protocols, is now reversed in varlink, it takes what should be arbitrary binary payloads (user records, certificates, etc..) and instead forces you to manage them as JSON objects. Signing and conveying signatures for this object are predictably painful.

"The signature section contains one or more cryptographic signatures of a reduced version of the user record. This is used to ensure that only user records defined by a specific source are accepted on a system, by validating the signature against the set of locally accepted signature public keys. The signature is calculated from the JSON user record with all sections removed, except for regular, privileged, perMachine. Specifically, binding, status, signature itself and secret are removed first and thus not covered by the signature. This section is optional, and is only used when cryptographic validation of user records is required (as it is by systemd-homed.service for example)."

This all seems very brittle and I don't see the kinds of testing that would project confidence in this system. Good luck to all who use this and trust it.

sgarland

I don’t understand the obsession with systemd managing everything. I do not want it to manage my logs, NTP, DNS resolution, and I sure as hell don’t want it to manage /home.

bluGill

I want something to manage home though. I shouldn't be unable to access my files just because I'm on a different computer from last time.

i'm not sure if that is what it does but I think that is a goal

strawhatguy

Manage it do what now? Copy files between computers? Like rsync?

Or… like iCloud? No on that last one, having Linux require some server seems to defeat the point. Why not a Mac then?

bluGill

I don't want to think about it, just login and everything is there where and as I left it. I had this in college in the early 1990's with yp and nfs. However setting that up is hard on a dedicated network. Getting it to work with a laptop which might not even be connected to a network (as happened to me last night on amtrak in the middle of nowhere, North Dakota)

strawhatguy

Yeah big nope on this. Needs to be separate, if it’s useful at all, not systemd “separate”.

I don’t run systemd at all, to be safe.

aryonoco

Stay safe!

Meanwhile, I want to be able to mount my home directory on an external drive, and have it shared between systems without UID/GID hell.

And,

Have an encrypted home directory and boot the system and be able to enter my password with my keyboard which is connected to a thunderbolt dock during boot. Something which has been possible on Mac and windows for a decade or two.

Systemd-homed is the ONLY way to achieve these (and many others) in Linux.

Criticisms of systemd just because “it doesn’t smell like Unix” is all nice and fine, but ignores real quality of life and security features it provides. If you don’t have these usecases, you’re welcome to continue to ignore systemd, but some of us actually want these feature.

ocdtrekkie

If you come from any other platform, the idea of needing to look up which version of which flavor of Linux you have to find what specific commands you need to use to do basic things looks insane.

systemd has done leaps and bounds for making Linux platforms look reasonably manageable and standardized.

inferiorhuman

  systemd has done leaps and bounds
No it hasn't. For example going from Raspberry Pi OS to stock Debian I have to be mindful of where network manager is used in place of systemd. I have to be mindful of what version systemd is being used. Same hassle as before but now with less POSIX and more binary blobs.

quotemstr

The free software world needed an API for managing system resources. Poettering came along and provided one. It's not perfect, but it solved problems. The resistance to systemd isn't proposing alternative ways of solving these problems. It's instead insisting these problems remain unfixed. Is it any wonder that the anti-systemd camp has become irrelevant?

bluGill

i wouldn't mind the api where it must be different but all too often he had not invented here syndrom and reinvented things that worked great already while fixing what was broke. He also suffers from all the world is linux syndrom and so bsd needs to figure out how to solve the problem from scratch (mostly has not)

Valodim

> Please note that this specification assumes that JSON numbers may cover the full integer range of -2^63 … 2^64-1 without loss of precision (i.e. INT64_MIN … UINT64_MAX). Please read, write and process user records as defined by this specification only with JSON implementations that provide this number range.

Wait, so.. not javascript?

deathanatos

It's not the default, but JS is capable of this. (JavaScript has a big integer type nowadays, and the JSON.parse function's "reviver" parameter I think should be capable of parsing to bigints, but you'd need to specify such a reviver.)

chao-

Interesting catch. Don't many desktop Linux utilities from the GNOME project use JavaScript?

aryonoco

For those curious about systemd-homed, lwn had a writeup about a discussion in Fedora about it which provides a good summary of the pros and cons of systemd-homed.

https://lwn.net/Articles/995915/

null

[deleted]