Overview
The Linux Home Encryption Policy (LINUX_HOME_ENCRYPTION_POLICY) allows administrators to manage home directory encryption for specific Linux users as an alternative to full disk encryption. In many Linux environments, enabling full disk encryption requires reinstalling the operating system — home directory encryption provides a targeted, non-disruptive alternative that protects user data at rest.
This policy is available for both BYOD and company-owned devices. The device must not be TPM-enabled.
Supported Platforms
Requirement | Details |
Operating System | Linux |
File System | ext4 only |
Encryption Tool |
|
Device Ownership | Company-owned and BYOD (Non TPM) |
How It Works
The Linux Home Encryption Policy uses fscrypt to encrypt the home directories of specified users. The encryption process follows these rules:
Encryption only runs while the target user is logged out. If a user in the policy's user list is currently logged in, their home directory will not be encrypted during that session. This prevents file corruption from encrypting an active home directory.
Encryption is applied on the next login cycle. When another user logs in and the target user is logged out, the agent encrypts the logged-out user's home directory.
All users are encrypted after a full login cycle. By cycling through logins (e.g., logging in as each user in turn), all specified users' home directories will be encrypted.
Encryption Details
Once encrypted, a user's home directory will report the following fscrypt configuration:
Contents encryption: AES-256-XTS
Filenames encryption: AES-256-CTS
Padding: 32
Policy version: 2
Device Compliance Reporting
When this policy is active, the device will report encryption status back to the Swif console:
Status | Meaning |
| The user's home directory is encrypted via fscrypt |
| The user's home directory is not encrypted |
This status is visible in the device details under MDM Device Info > Encryption.
Policy Configuration
1. Apply to All Users (allUsers)
Property | Value |
Type | Boolean |
Default |
|
Required | No |
Platform | Linux |
Specifies whether to manage home encryption for all users on the device or only for specific users defined in the User List.
true— Home encryption will be managed for all users on the device.false— Home encryption will be managed only for users specified in theuserListfield.
Note: When allUsers is set to true, the userList field is ignored. A dedicated boolean field is used (rather than placing "all" in the user list) to avoid ambiguity in cases where a Linux username is literally "all."
2. User List (userList)
Property | Value |
Type | Array of Strings |
Default | None |
Required | No |
Platform | Linux |
Specifies the Linux usernames whose home directory encryption should be managed by this policy. This field is only used when allUsers is set to false.
Example value:
["john", "jane", "deploy-user"]
Tip: Use the exact Linux username (login name) as it appears in /etc/passwd.
Quick Reference
Field | Display Name | Type | Default |
| Apply to All Users | Boolean |
|
| User List | Array of Strings | — |
Verifying Encryption Status
After the policy has been applied, you can verify whether a user's home directory is encrypted by running:
sudo fscrypt status /home/<username>
If encrypted, the output will show:
"/home/userB" is encrypted with fscrypt.
Policy: <policyId>
Options: padding:32 contents:AES_256_XTS filenames:AES_256_CTS policy_version:2
Unlocked: Yes
Protected with 1 protector:
...
If not encrypted, the output will indicate that no fscrypt policy is applied to the directory.
Known Limitations
Limitation | Details |
Logged-in users cannot be encrypted | Encryption is skipped for any user currently logged in to avoid file corruption. The user must be logged out for encryption to proceed. |
ext4 file systems only | Other Linux file systems (e.g., btrfs, xfs) are not supported. |
ecryptfs is legacy | The older |
TPM-enabled devices | Devices with TPM enabled are not compatible with this policy. For TPM-based full disk encryption, refer to your distribution's documentation. |
Frequently Asked Questions
Q: What happens if allUsers is true and I also provide a userList?
A: The userList is ignored. When allUsers is enabled, encryption management applies to every user on the device.
Q: Why does encryption only run when the user is logged out?
A: Encrypting a home directory while the user is actively logged in could cause data corruption or session instability. The agent waits until the user logs out before performing encryption operations.
Q: Which encryption method is used?
A: This policy uses fscrypt (Linux native file-system-level encryption). The agent verifies encryption status via sudo fscrypt status /home/<username>.
Q: Does this work on non-ext4 file systems?
A: No. Currently only ext4 file systems are supported. Home directories on btrfs, xfs, or other file systems will not be managed.
Q: Why isn't my home directory encrypted even though the policy is assigned?
A: The most common reason is that you are currently logged in. Log out, have another user log in (or restart the device and log in as a different user), and the encryption will be applied to your home directory.
Q: Do I need to reinstall my OS to use this policy?
A: No. Unlike full disk encryption, home directory encryption can be applied to existing installations without reinstalling the operating system.
Q: What happens if I assign an empty user list?
A: No home directories will be encrypted. This effectively disables the policy without removing it.
Q: How do I encrypt all users' home directories?
A: Set allUsers to true.
