Overview
The Linux Home Encryption Policy (LINUX_HOME_ENCRYPTION_POLICY) allows administrators to manage home directory encryption for specific Linux users as an alternative to full disk encryption. In many Linux environments, enabling full disk encryption requires reinstalling the operating system β home directory encryption provides a targeted, non-disruptive alternative that protects user data at rest.
This policy is available for both BYOD and company-owned devices. The device must not be TPM-enabled.
Supported Platforms
Requirement | Details |
Operating System | Linux |
File System | ext4 only |
Encryption Tool |
|
Device Ownership | Company-owned and BYOD (Non TPM) |
How It Works
The Linux Home Encryption Policy uses fscrypt to encrypt the home directories of specified users. The encryption process follows these rules:
Encryption only runs while the target user is logged out. If a user in the policy's user list is currently logged in, their home directory will not be encrypted during that session. This prevents file corruption from encrypting an active home directory.
Encryption is applied on the next login cycle. When another user logs in and the target user is logged out, the agent encrypts the logged-out user's home directory.
All users are encrypted after a full login cycle. By cycling through logins (e.g., logging in as each user in turn), all specified users' home directories will be encrypted.
Encryption Details
Once encrypted, a user's home directory will report the following fscrypt configuration:
Contents encryption: AES-256-XTS
Filenames encryption: AES-256-CTS
Padding: 32
Policy version: 2
Policy Configuration
Policy Fields
Field | Type | Required | Description |
| Array of strings | Yes | Specifies the Linux users whose home directories should be managed by this policy. |
Assignment Example
To assign the policy, use the following JSON payload with the target usernames:
{
"policy": {
"userList": ["userA", "userB"]
}
}To disable encryption management for all users, assign the policy with an empty user list:
{
"policy": {
"userList": []
}
}Note: The device must not be TPM-enabled when using this policy.
Verifying Encryption Status
After the policy has been applied, you can verify whether a user's home directory is encrypted by running:
sudo fscrypt status /home/<username>
If encrypted, the output will show:
"/home/userB" is encrypted with fscrypt.
Policy: <policyId>
Options: padding:32 contents:AES_256_XTS filenames:AES_256_CTS policy_version:2
Unlocked: Yes
Protected with 1 protector:
...
If not encrypted, the output will indicate that no fscrypt policy is applied to the directory.
Known Limitations
Limitation | Details |
Logged-in users cannot be encrypted | Encryption is skipped for any user currently logged in to avoid file corruption. The user must be logged out for encryption to proceed. |
ext4 file systems only | Other Linux file systems (e.g., btrfs, xfs) are not supported. |
ecryptfs is legacy | The older |
TPM-enabled devices | Devices with TPM enabled are not compatible with this policy. For TPM-based full disk encryption, refer to your distribution's documentation. |
Frequently Asked Questions
Q: Why isn't my home directory encrypted even though the policy is assigned?
A: The most common reason is that you are currently logged in. Log out, have another user log in (or restart the device and log in as a different user), and the encryption will be applied to your home directory.
Q: Do I need to reinstall my OS to use this policy?
A: No. Unlike full disk encryption, home directory encryption can be applied to existing installations without reinstalling the operating system.
Q: What happens if I assign an empty user list?
A: No home directories will be encrypted. This effectively disables the policy without removing it.
Q: How do I encrypt all users' home directories?
A: Add all target usernames to the userList, then cycle through logins β log in as each user at least once. After a full cycle, all specified users' home directories will be encrypted.