Re: fscrypt a usb drive?

[Pocket <pocket@columbus.rr.com>]

Sent from my iPad

> On Nov 28, 2023, at 7:32 AM, Max Nikulin <manikulin@gmail.com> wrote:
> 
> On 28/11/2023 19:03, Pocket wrote:
>>> On 11/28/23 06:27, Max Nikulin wrote:
>>> 
>>> *Login* protector used by pam_fscrypt is a different case.
>>> 
>> Well I will see about that when the time comes.
>> I have a few ideas that may "fix" that, untested at the present time of course.
> 
> Just a couple of additional notes
> 
>> sudo fscrypt encrypt /home/fscrypt/Encrypted
>> sudo chown -R pocket:pocket /home/fscrypt/Encrypted 
> 
> You should be able to create an encrypted directory as a regular user. With command above you may face an issue during e.g. an attempt to change passphrase. Files in /home/fscrypt/.fscrypt belong to root, not to pocket.
> 
> Another way suitable for a new user
> 
>    fscrypt encrypt /home/newhome --user=user
> 
> is documented in https://wiki.archlinux.org/title/Fscrypt
> 
> Concerning lock on logout, I had an idea to use a systemd unit with a command executed after user@.service completion. Unfortunately libpam-fscrypt 0.3.3-1+b6 does not support `unlock_only` option yet, but `lock_policies` is already default and no-op. So there is no way to disable lock on logout. Now I am trying to figure out if
> 
>    systemctl --user exit
> 
> may had negative effects. Some running processes may prevent locking of directories though.
> 

I am doing this project for an encrypted container.  
I need to investigate whether or not I can place multiple encrypted directories upon the USB drive,  all independent of course. Meaning a separate pass phrase for each.  Also if they are truly independent.

I will get to your other points after I have finished with this.  I haven’t made a big enough mess with this as of now.