Ext4 encryption

This article Article description::provides instructions on encrypting files in a home partition using the ext4 filesystem's built-in file based encryption.

Overview
ext4 supports file based encryption. Encrypting files on an individual basis may be more suitable than full disk encryption (such as DM-Crypt) because of performance gains and the ability to exclude certain directories from encryption. For example, open-source project repositories or other 'public' files are not required to be encrypted.

This scenario will work only with single user computer (specified in systemd service file).

Decryption before login
Since ext4 uses the kernel keyring, which is divided into session keyring (every time a user logs into console, X11, or Wayland) and user keyring (persistent for user, but only as user keep logged in).

Summary:

.service part

1. wait for display manager loads itself

2. then switch to VT 6 (since if we switch earlier than GDM loads itself, we lost focus with GDM fired up)

.sh shell part systemd

3. ask password and save it to @s (session)

4. set permissions to allow link it to @u (user keyring)

.sh shell part PAM

5. link from @u (user keyring) to @s (session keyring)

systemd service
The systemd unit will need to run before login screens (impossible with systemd). So, let's use tty6 for password prompt.

No need to use all 6 VT's.. So you need modify and reduce number of reserved VTs.

Create systemd service file:

systemd script
Into script you have to fill number, which you'll get after you run under normal circumstances and then run.

PAM script
Last thing, you need link from @u (user keyring) to @s (session keyring), because otherwise ext4 is not able to detect key (no idea why). For this case is best use PAM.

Search for files which include line with  (grep it) and put line right after

Issues

 * When is issued with   (user keyring), the kernel is not able to decrypt content.