Encrypted home support?

heipa · February 26, 2020, 6:42am

Hi. Will snaps ever support encrypted homes?

Currently using snaps together with encrypted homes makes a lot of headache because…

it loses the configuration for all users who are not logged in during updates (link),
it is a potential security risk (link)
and it doesn’t work with fscrypt (link).

Are there any plans to overcome this limitations?

jdstrand · February 27, 2020, 6:08pm

@zyga-snapd - do I remember right that you looked at this before? Is there a bug or topic for it?

zyga-snapd · February 28, 2020, 12:26pm

I didn’t find anything that is not already mentioned here.
As for the points by the OP, they are all valid.

There are no plans to overcome this as it would involve a huge overhaul of the refresh process. I think we should raise this topic when planning for the next cycle.

As a small remark, we agreed that eventual solution would involve user session daemon interacting with snapd to complete deferred refreshes but no details were provided. @jamesh is progressing on having snapd user daemon with additional APIs that would eventually allow us to build a solution like this.

heipa · March 2, 2020, 3:46am

Thanks for the answer.

I think encryption is essential and at least in my surrounding everyone is using it.

This gets even more critical as Ubuntu has snaps preinstalled and Chromium for example is exclusively available as a snap. So whenever you enable home encryption you end up with a (more or less) broken system.

Really hope this is taken care of in the next cycle.