I'm afraid you have some misunderstandings and misconceptions about sdm that I will correct so that future readers have a correct and complete understanding.I did. I thought I mentioned sdm by name, but I guess I forgot. sdm sets up full filesystem encryption which, as I said, is not what I'm trying to do. I don't see anything in sdm's documentation about an equivalent to what I'm talking about here. I didn't really want to rely on third party scripts to do what should be built in anyway. It really should have been simple. In fact, it seems it was...You listed viewtopic.php?t=363217 as one of the topics you'd read, but you apparently didn't follow-up on the content there and review what sdm has in the way of disk encryption, which has improved significantly in the intervening time.
First of all, the only thing that sdm does is automate system configuration. It doesn't use any strange services, nor does it add any binary programs of its own to the system. Specifically, for encryption it uses all the various cryptsetup and systemd-cryptsetup packages, configuring them so they'll work correctly.
In other words, you don't have to go through a guide, figure out where your particular system deviates from the guide, type in the commands, and hope that the guide is correct and that the author has kept it updated.
In the case of encryption, sdm is the guide, except you don't have to type it in. sdm does all this stuff automatically for you.
Secondly, with respect to your comment "sdm sets up full filesystem encryption":
sdm supports encrypting two different partition types on the system. First, there is rootfs. This is done in an integrated way that is started during sdm's customization of an IMG, either at during the actual customization phase or when burning a disk for a particular host.
Alternatively, the rootfs encryption process can be started on an already-running system.
The second aspect of encryption that sdm supports is encrypting one or more data partitions, which is what I thought you were asking about when you referenced a "LUKS encrypted /home mounted on startup". The encryption that sdm supports for data partitions does exactly what you asked for, including automatically configuring it to mount right on top of the /home directory in your rootfs if you'd like.
The data partition encryption is done via an sdm plugin called cryptpart, which only runs on a booted and running system. It does, however, require that you install sdm (less than 1MB footprint). sdm and cryptpart make no other changes to your system, so once you've created your encrypted /home you'll never need to use sdm again, and you can sudo rm -rf usr/local/sdm if you want.
In summary, sdm does exactly what you asked for. If you go for the whole meal deal with rootfs encryption and encrypting one data partition, that can be done on a new system in 10-30 minutes, and you'll literally only need to type a few commands.
If you want to only create an encrypted data partition, you'll need to type exactly one command. If you've already got an encrypted data partition, cryptpart can wire it up for you. If the partition needs to be encrypted, cyrptpart will do that for you as well. This process takes a couple of minutes plus a reboot.
The great thing about Linux is that there are plenty of options. I decided several years ago that I was DONE editing config files. I've built several tools for me to eliminate (or at least greatly reduce) config file editing.
But the one I am most dependent on is sdm, because I'm always spinning up a fresh Pi disk for this or that. Oh, and I need near-instant gratification, so sdm customization is typically limited by the time to download and install other packages I need (which I would have to do anyhow).
I figured.Oops! Oh geez. I actually saw this a while back and fully intended to install it and see if it did that, but somewhere along the way forgot I guess. (It doesn't help that it takes about 100 times longer to install/update/etc via apt on the RPi vs my desktop.)Finally, with respect to your current configuration, one thing I didn't see mentioned was systemd-cryptsetup. This runs during system boot to unlock encrypted data partitions. If using a USB keydisk to unlock the encrypted data partition you need to configure the keydisk mount and dismount. systemd-cryptsetup will prompt if a passphrase is used for unlocking, and if a properly configured keyfile is in /root it will automatically use it.
I feel silly now. systemd-cryptsetup is, indeed, what it needed! Looks like the key is mostly just having all three of those together. cryptsetup, cryptsetup-initramfs, and systemd-cryptsetup should each be installed.
I guess this thread will serve to help anyone doing a search in the future if nothing else...
And if your apt updates are taking too long, you should have a look at apt-cacher-ng. It eliminates nearly all of the package download time, except for the first time you access it. And, of course there's an sdm package to install and properly configure apt-cacher-ng.
Statistics: Posted by bls — Fri Feb 20, 2026 10:46 pm