unhinge
Meanwhile kde scattering everything in .config/
if you happen to find the comparison, could you link it here
afaik openzfs provides authenticated encryption while luks integrity is marked experimental (as of now in man page).
openzfs also doesn't reencrypt dedup blocks if dedup is enabled Tom Caputi's talk, but dedup can just be disabled
that sounds good.
Have you used luks integrity feature? though it's marked experimental in man page
oh shit I forgot to set up subvolumes
lol
I'm also planning on using its subvolume and snapshot feature. since zfs also supports native encryption, it'll be easier to manage subvolums for backups
I won't be using RAID features as of now, and timeshift isn't an issue for me. just an example of my fuckup 😅
I’ve been using luks on btrfs for a couple years now with little issue
What was the issue?
Assuming you want:
There are several ways to achieve this:
autologin (recommended for single user system): / is encrypted using luks or zfs native encryption and user's home needs to be unencrypted. User's password may be same as encryption password for convenience, though they still are two passwords used for different purposes.
pam mount: / is unencrypted or auto-decrypted and user's home is encrypted independently from / using zfs,luks,fscrypt,etc. In this case, user's login password must be same as user's home encryption password. It's suitable for multi-user system. NOTE: It cannot be used with autologin since user's home needs to be decrypted to log in.
WARNING: For tpm usage, using secure boot is highly recommended to prevent unauthorized user from accessing key stored in tpm.
To prevent auto-decrypt with tpm, tpm-pin can be used (with autologin for requirement #1).
systemd-cryptenroll with/without tpm: As far as I know it can be only used to unlock disk encrypted with luks2. It can be used without tpm with pkcs11-token (e.g. YubiKey) or fido2-device. It also uses parameter encryption while key is unsealed, so safe from key sniffing via communication bus. This is easy if secure boot is enabled and luks2 is used for encryption.
clevis with tpm: It can be used in place of systemd-cryptenroll. May be used with zfs native encryption. Though I'm not sure if it uses parameter encryption (correct me).
unencrypted keyfile on usb: Not sure about zfs, but you can use keyfile on a usb drive to decrypt luks containers.
NOTE: I'm not a forensic/security expert. I listed a brief overview of methods I could think of to keep user's files encrypted while providing single password till login.