2

Inspired by:

You could also mount it (encrypted partition) under /home, but then you will have all user's home directories in one encrypted drive - that means all of them need to know the partition's password to open it on boot.

from: What is the recommended method to encrypt the home directory in Ubuntu 21.04?

which is a statement that suggests that when you have this configuration: an encrypted partition for the main user (/home/encryptedmainuser), and an unencrypted partition for the rest of users, mounted in /home, you need to enter the encrypted partition unlocking password only when the main user is going to log in.

I did exactly that configuration, but when I turn on the computer I have to enter the unlocking partition password before the login screen, so, any user has to know the unlocking password for /home/encryptedmainuser_folder

So, I guess this might be the expected behaviour as /home may need /home/encryptedmainuser to be mounted beforehand. But I am not sure, because of the cited post which seems to imply the opposite.

So, is there any way to have for example the system to request the unlocking password only when the "main encrypted user" wants to log in?

nvme0n1       259:0    0   1.8T  0 disk  
├─nvme0n1p1   259:1    0 244.1G  0 part  /var/snap/firefox/common/host-hunspell
│                                        /
├─nvme0n1p2   259:2    0 802.6G  0 part  
│ └─cryptHome 253:0    0 802.6G  0 crypt /home/encryptedmainuser
├─nvme0n1p3   259:3    0  52.3G  0 part  [SWAP]
└─nvme0n1p4   259:4    0   764G  0 part  /home

EDIT: the same linked post states:

With these steps Ubuntu will ask you to unlock the partion on every boot, before the login screen for the user.

which seems somewhat contradictory to the previous quote

EDIT: So, I guess the answer might be in this quote, but I don't know exactly how to do that automatically after the login.

There is no problem to set up the system with a default /home/username directory, and then mount an encrypted partition over it.

In that case, I think I should remove the /etc/crypttab to not to have /home/encryptedmainuser mounted on boot, and somehow add a script, that asks for the encrypted partition password after the login, but I don't know how.

Similar question: Mount LUKS encrypted partition at login

Ferroao
  • 959

1 Answers1

0

Comment of Sebastian, above:

The unencrypted user could try to just wait out the timeout, and then log in to their regular home partition

I haven't realized waiting for a timeout as a possibility.

Having for example 1 encrypted user, and 1 normal user, after timeout the normal user can log in.

If the normal user logs in (first), subsequent encrypted user attempts to log in were unsuccessful. I guess the encrypted user can have a successful login after restarting only, to get the unlocking prompt.

So, having seen the login menu after the timeout, I can say that the first quote in the OP is valid, and the answer/workaround is "wait for the timeout" then the normal user can log in.

At some point I disabled auto login for both users, so that might be required.

Ferroao
  • 959