[Discuss] SUMMARY: Encrypt /home and allow unattended boot?

[dbarrett at blazemonger.com (Daniel Barrett)]

Thanks to everyone who advised me on how to encrypt my /home partition
but still boot the machine unattended (i.e., not having to enter a
decryption password until after boot). Here's a summary of what I
wound up doing.

First, experimented with cryptmount (recommended in this list), which
is a tool to create an encrypted filesystem in a user-owned
directory. For testing, I ran cryptmount-setup and created a 4 GB
file-backed partition, ~/crypt, using all the default options, and
moved about 1 GB of files into it. Super-easy. The setup worked
reliably for a few days and then ran into a serious problem....

One of my virtual machines (using VMware Workstation Pro 15) runs MS
Windows and Quicken, and my Quicken files were in ~/crypt. I left
Quicken open and suspended the VM to run a whole-computer backup with
rsync. (I've done this for years on a non-encrypted filesystem without
a problem.)  When I resumed the VM, the Quicken display was borked,
and Quicken reported that one of its files was corrupted. This problem
was 100% repeatable. So, I gave up on using cryptmount in this way.

Next, I discovered a fantastic tutorial on how to do full-disk
encryption and still boot unattended, sort of. It shows how to set up
a mini SSH server that activates during the boot process, but before
the console prompt to unlock the machine. So, you can SSH in and
remotely unlock your machine to let it finish booting:

  https://hamy.io/post/0005/remote-unlocking-of-luks-encrypted-root-in-ubuntu-debian/

I created a fresh Ubuntu VM for testing and tried this method, and it
works perfectly.

So, I plan to use full-disk encryption and allow remote unlocking via
SSH by public key.

Thank you particularly to Dan Ritter, Jerry Feldman, and Rich Pieri
for your help.

--
Dan Barrett
dbarrett at blazemonger.com