Encrypted Home for Haiku

Software Proprietary & Other
1

Encrypted Home for Haiku

I have been working on an Encrypted Home system for Haiku. The goal is simple: let users install Haiku with /boot/home stored on a separate encrypted partition, unlocked during boot before the desktop session starts.

This is not full disk encryption yet. It protects the user’s home volume while keeping the system volume bootable in the normal Haiku way.

The installer now has an Encrypt home folder option. When enabled, it asks for a separate unmounted home backing partition, a passphrase and AES-XTS mode. The selected backing partition is formatted as an encrypted volume, mounted at the target system’s /home, and the installed system is configured to unlock it on boot.

Screenshots attached show:

  1. Installer encrypted-home option
  2. Home backing partition selection
  3. Erase warning for an existing backing partition
  4. Installation with encrypted home enabled
  5. Boot unlock flow

Technical Summary

The implementation includes:

  • Encrypted-home volume header format with redundant primary and backup headers
  • Argon2id passphrase-based key derivation
  • AES-128-XTS and AES-256-XTS payload encryption
  • Kernel virtual disk driver for the unlocked encrypted block device
  • Disk-system and filesystem detection support
  • Installer provisioning flow
  • Boot-time unlock application
  • Launch ordering changes so the desktop waits for home unlock
  • Unit, integration, image preflight, and static-analysis gates

The cryptography is based on existing reviewed code where possible:

  • AES-XTS code is imported from OpenBSD softraid
  • Argon2id uses the PHC Argon2 reference implementation
  • OpenSSL is used for AES primitives, HMAC, randomness, and secure memory cleansing support

For our own code, I added targeted hardening and checks around the areas that are easy to get wrong in disk encryption code: header recovery, stale backup selection, authenticated metadata handling, integer overflow, large offsets, short I/O, kernel copy failure paths, passphrase/key cleansing, launch ordering, and packaging.

I also added a static-analysis gate for the encrypted-home code. It runs policy checks plus clang-tidy, Clang static analyser via analyze-build, and cppcheck open-source checks. CERT-style clang-tidy checks are enabled. cppcheck’s old cert.py addon is no longer bundled with open-source cppcheck, so the gate supports an optional CPPCHECK_CERT_ADDON path if someone has access to that addon separately.

Build It

git clone GitHub - IntuitionAmiga/haiku: The Haiku operating system. (Pull requests will be ignored; patches may be sent to https://review.haiku-os.org). · GitHub
cd haiku
git checkout encrypted_home

mkdir -p generated.x86_64
cd generated.x86_64
../configure --cross-tools-source ../../buildtools --build-cross-tools x86_64

../../buildtools/jam/bin.linuxx86/jam -q @nightly-anyboot

The resulting image is:

generated.x86_64/haiku-nightly-anyboot.iso

Encrypted Home is currently enabled for supported OpenSSL-capable builds, mainly x86_64 and riscv64 in this branch.

This is ready for review as a first integrated encrypted-home implementation. It is intentionally scoped to home-directory encryption rather than full disk encryption, but it puts the core volume format, kernel driver, installer flow, boot unlock path, and testing infrastructure in place.

Now that encrypted home is working end to end, my next goal is full disk encryption. This work should give us a useful base for that: the header format, key derivation, XTS path, recovery handling, installer integration, and boot unlock flow are all pieces that can be built on
for FDE.

Feedback, testing, and bug reports are very welcome.

Haiku Encrypted Home Installer
Haiku Encrypted Home Installer1032×859 58.2 KB

Haiku Encrypted Home Installer Wipe
Haiku Encrypted Home Installer Wipe1032×859 64.1 KB

Haiku Encrypted Home Installer Encrypting
Haiku Encrypted Home Installer Encrypting1032×859 54.6 KB

Haiku Encrypted Home Boot Unlock
Haiku Encrypted Home Boot Unlock1032×859 26.4 KB

Haiku Encrypted Home Booted
Haiku Encrypted Home Booted1032×859 120 KB

8 Likes
2

I haven’t looked at your solution at all yet, but I wonder why the distinction between AES-128-XTS and AES-256-XTS is that important to bother the user with it. I would just make the latter the default. It would also make sense to be able to reuse an existing volume for this.

It’s also worth mentioning that Haiku currently misuses the user add-ons and settings for system-level things that need changes.

Also, please have a look at GitHub - axeld/driveencryption: DriveEncryption for Haiku · GitHub where you might be able to reuse some code from (like the userland tools). It currently does not work anymore as-is on Haiku due to build issues, though.

2 Likes
3

Hi Axel,

I added AES-128-XTS as a lower-level format/test option, users shouldn’t need to choose it during install I just haven’t removed it from the installer screen yet. I’ll make AES-256-XTS the default so it’s not confusing for users.

Do you mean we should reuse an existing BFS home volume while preserving its contents?

We don’t currently do that in this initial version. The installer can select an existing BFS partition as the backing partition, but it will reformat it into a new encrypted-home container and creates a new BFS filesystem inside that container.

Thanks for the link to your repo, I’ll take a look and see what I can use.

4

Hi Zayn,

Thank you for all hard work to put this in place.

Making Haiku a more secure OS is one of the things that prevent many, me included, from using it to store important data or daily drive. (Of course I know it’s beta software and WIP.) I know encrypting the home folder or the whole disk has nothing to do with the OS using root as default. But I wonder how your contribution could inspire other core developers to implement this necessary security feature in Haiku.

I appreciate everything every developer has done to this beloved OS which I follow since its birth.

1 Like