Skip to main content

Linux Home Encryption Policy

Overview

The Linux Home Encryption Policy (LINUX_HOME_ENCRYPTION_POLICY) allows administrators to manage home directory encryption for specific Linux users as an alternative to full disk encryption. In many Linux environments, enabling full disk encryption requires reinstalling the operating system — home directory encryption provides a targeted, non-disruptive alternative that protects user data at rest.

This policy is available for both BYOD and company-owned devices. The device must not be TPM-enabled.


Supported Platforms

Requirement

Details

Operating System

Linux

File System

ext4 only

Encryption Tool

fscrypt (preferred). Legacy ecryptfs is not used.

Device Ownership

Company-owned and BYOD (Non TPM)


How It Works

The Linux Home Encryption Policy uses fscrypt to encrypt the home directories of specified users. The encryption process follows these rules:

  1. Encryption only runs while the target user is logged out. If a user in the policy's user list is currently logged in, their home directory will not be encrypted during that session. This prevents file corruption from encrypting an active home directory.

  2. Encryption is applied on the next login cycle. When another user logs in and the target user is logged out, the agent encrypts the logged-out user's home directory.

  3. All users are encrypted after a full login cycle. By cycling through logins (e.g., logging in as each user in turn), all specified users' home directories will be encrypted.

Encryption Details

Once encrypted, a user's home directory will report the following fscrypt configuration:

  • Contents encryption: AES-256-XTS

  • Filenames encryption: AES-256-CTS

  • Padding: 32

  • Policy version: 2

Device Compliance Reporting

When this policy is active, the device will report encryption status back to the Swif console:

Status

Meaning

Encrypted

The user's home directory is encrypted via fscrypt

Unencrypted

The user's home directory is not encrypted

This status is visible in the device details under MDM Device Info > Encryption.


Policy Configuration

1. Apply to All Users (allUsers)

Property

Value

Type

Boolean

Default

false

Required

No

Platform

Linux

Specifies whether to manage home encryption for all users on the device or only for specific users defined in the User List.

  • true — Home encryption will be managed for all users on the device.

  • false — Home encryption will be managed only for users specified in the userList field.

Note: When allUsers is set to true, the userList field is ignored. A dedicated boolean field is used (rather than placing "all" in the user list) to avoid ambiguity in cases where a Linux username is literally "all."


2. User List (userList)

Property

Value

Type

Array of Strings

Default

None

Required

No

Platform

Linux

Specifies the Linux usernames whose home directory encryption should be managed by this policy. This field is only used when allUsers is set to false.

Example value:

["john", "jane", "deploy-user"]

Tip: Use the exact Linux username (login name) as it appears in /etc/passwd.

Quick Reference

Field

Display Name

Type

Default

allUsers

Apply to All Users

Boolean

false

userList

User List

Array of Strings


Verifying Encryption Status

After the policy has been applied, you can verify whether a user's home directory is encrypted by running:

sudo fscrypt status /home/<username>

If encrypted, the output will show:

"/home/userB" is encrypted with fscrypt.

Policy: <policyId>
Options: padding:32 contents:AES_256_XTS filenames:AES_256_CTS policy_version:2
Unlocked: Yes

Protected with 1 protector:
...

If not encrypted, the output will indicate that no fscrypt policy is applied to the directory.


Known Limitations

Limitation

Details

Logged-in users cannot be encrypted

Encryption is skipped for any user currently logged in to avoid file corruption. The user must be logged out for encryption to proceed.

ext4 file systems only

Other Linux file systems (e.g., btrfs, xfs) are not supported.

ecryptfs is legacy

The older ecryptfs method (which uses /home/.ecryptfs/<username>/.Private) is not used. This policy uses fscrypt exclusively.

TPM-enabled devices

Devices with TPM enabled are not compatible with this policy. For TPM-based full disk encryption, refer to your distribution's documentation.


Frequently Asked Questions

Q: What happens if allUsers is true and I also provide a userList?
A: The userList is ignored. When allUsers is enabled, encryption management applies to every user on the device.

Q: Why does encryption only run when the user is logged out?
A: Encrypting a home directory while the user is actively logged in could cause data corruption or session instability. The agent waits until the user logs out before performing encryption operations.

Q: Which encryption method is used?
A: This policy uses fscrypt (Linux native file-system-level encryption). The agent verifies encryption status via sudo fscrypt status /home/<username>.

Q: Does this work on non-ext4 file systems?
A: No. Currently only ext4 file systems are supported. Home directories on btrfs, xfs, or other file systems will not be managed.

Q: Why isn't my home directory encrypted even though the policy is assigned?
A: The most common reason is that you are currently logged in. Log out, have another user log in (or restart the device and log in as a different user), and the encryption will be applied to your home directory.

Q: Do I need to reinstall my OS to use this policy?
A: No. Unlike full disk encryption, home directory encryption can be applied to existing installations without reinstalling the operating system.

Q: What happens if I assign an empty user list?
A: No home directories will be encrypted. This effectively disables the policy without removing it.

Q: How do I encrypt all users' home directories?
A: Set allUsers to true.


Did this answer your question?