Comment 5 for bug 1842417

> I think some problem has to be considered: as far as I understood, the folder /.fscrypt shall not be deleted (risk to loose access to your data?)
> if yes, it's a bit risky in case you re-install system on / with a separated encrypted /home that you want to keep.

When you set up your encrypted home using the fscrypt tool and it detects that /home is not the same as /, it will offer to create a recovery protector. This creates a file in your home called fscrypt-recovery-passphrase.txt (or something like that) that needs to be written down (similar to ecryptfs). This protector is stored on /home/.fscrypt.

This means you can unlock the directory on a different (or new) system, and once unlocked, you can create a new login protector.

I assume ubiquity can be scripted to detect a pre-existing user home was encrypted using fscrypt, query for the recovery protector passphrase, unlock the directory, and add add a login protector.

> I also would like to add an other issue of full disk encryption: it need to enter password at boot on the machine.

I hadn't even thought about that because I never use full disk encryption. Some will argue that this is the point as it is more secure, but I would argue that you should have the choice to use your computer in a more versatile manner while still being able to protect your personal files from raw disk reading with a bootable usb stick. Options could be presented:

Encryption options:

* Full Disk Encryption - (Recommended) Best security. Suitable for single user hardware.
* Home Encryption - Good security. Suitable for shared family computers and WoL.
* No Encryption - No security. Good for guests and internet cafes.