https://wiki.archlinux.org/api.php?action=feedcontributions&user=Lukeus+Maximus&feedformat=atomArchWiki - User contributions [en]2024-03-29T10:10:48ZUser contributionsMediaWiki 1.41.0https://wiki.archlinux.org/index.php?title=User:Lukeus_Maximus&diff=641912User:Lukeus Maximus2020-11-19T16:59:34Z<p>Lukeus Maximus: </p>
<hr />
<div>= Home directory encryption =<br />
<br />
One common use of stacked filesystem encryption is to encrypt a user's home directory.<br />
<br />
If the home directory exists on an [[Ext4]] filesystem then this form of [[Data-at-rest_encryption]] should be set up before any data is stored in the home directory (preferably just after creation). This is because Ext4 is a ''journaled'' filesystem; if existing unencrypted files are copied into the new encrypted directory, the old unencrypted version of the file is generally recoverable from the Ext4 filesystem. To make the old unencrypted versions of these files unrecoverable, a secure deletion technique must be used on them.<br />
<br />
This article covers the cases where the home directory is empty and where it already contains user data. <br />
<br />
== Example using gocryptfs ==<br />
<br />
Install [[gocryptfs]].<br />
<br />
=== Create new encrypted filesystem ===<br />
<br />
As root, create the directory {{ic|/home/''$user''.cipher}}:<br />
<br />
# mkdir /home/''$user''.cipher<br />
<br />
Change its permissions, owner, and group so that it matches those of the user's existing home directory:<br />
<br />
# chown ''$user'' /home/''$user''.cipher<br />
# chgrp ''$user'' /home/''$user''.cipher<br />
# chmod 700 /home/''$user''.cipher<br />
<br />
Then set up the encrypted filesystem using {{ic|gocryptfs}} on the {{ic|/home/''$user''.cipher}} directory:<br />
<br />
$ gocryptfs -init /home/''$user''.cipher<br />
<br />
When prompted, enter the password to be used for encryption. If you intend to set up [[#Auto-mounting on login|auto-mounting]], the password needs to be the same as the user's login password for it to work correctly. The process will finish by printing out the master key. Store the master key somewhere secure - it can be used to recover the filesystem data if the password is lost:<br />
<br />
{{bc|<br />
Choose a password for protecting your files.<br />
Password: <br />
Repeat:<br />
<br />
Your master key is:<br />
<br />
00000000-11111111-22222222-33333333-<br />
44444444-55555555-66666666-77777777<br />
<br />
If the gocryptfs.conf file becomes corrupted or you ever forget your password,<br />
there is only one hope for recovery: The master key. Print it to a piece of<br />
paper and store it in a drawer. This message is only printed once.<br />
The gocryptfs filesystem has been created successfully.<br />
You can now mount it using: gocryptfs /home/''$user''.cipher MOUNTPOINT<br />
}}<br />
<br />
If the user's home directory is empty, you can skip to configuring [[#Auto-mounting on login|auto-mounting]].<br />
<br />
=== Moving existing home directory files to encrypted filesystem ===<br />
<br />
You will need to mount the newly created encrypted filesystem and copy the entirety of the user's home directory into it. As each file is copied in, it is encrypted by {{ic|gocryptfs}}. To avoid any programs changing files in the user's home directory in the middle of the copy operation, the user must be logged out. Then, as root:<br />
<br />
====1. Create the user's new home directory====<br />
{{bc|<br />
# mv /home/''$user'' /home/''$user''.old<br />
# mkdir -m 700 /home/''$user''<br />
# chown ''$user'' /home/''$user''<br />
# chgrp ''$user'' /home/''$user''<br />
}}<br />
<br />
====2. Mount the encrypted filesystem at the new home directory====<br />
Enter the encryption password when prompted<br />
{{bc|<br />
# gocryptfs /home/''$user''.cipher /home/''$user''<br />
}}<br />
<br />
====3. Copy all home directory files into the mounted filesystem====<br />
<br />
(Using [[rsync]])<br />
{{bc|<br />
# rsync -av /home/''$user''.old /home/''$user''<br />
}}<br />
<br />
====4. Unmount the filesystem====<br />
{{bc|<br />
# fusermount -u /home/''$user''<br />
}}<br />
<br />
=== Auto-mounting on login ===<br />
<br />
If the user logs in without their home directory mounted, their session will not benefit from any shell profile files or any programs configured to run at login. Until the directory is mounted with {{ic|gocryptfs}}, the user's home directory will be empty. Generally then, it is highly desirable to have the encrypted home directory mount itself when the user logs in so that those things happen properly.<br />
<br />
This setup configures [[PAM]] and [[pam_mount]] so that the user's home directory is mounted as they authenticate. The authentication credentials (e.g. password) are passed to {{ic|pam_mount}} so that they can be used for the filesystem decryption. This requires that the encrypted filesystem be encrypted with the same password as the user uses for login.<br />
<br />
====1. Configure [[FUSE]]====<br />
<br />
Uncomment {{ic|user_allow_other}} in {{ic|/etc/fuse.conf}}:<br />
{{hc|head=/etc/fuse.conf|output=<br />
# The file /etc/fuse.conf allows for the following parameters:<br />
#<br />
# user_allow_other - Using the allow_other mount option works fine as root, in<br />
# order to have it work as user you need user_allow_other in /etc/fuse.conf as<br />
# well. (This option allows users to use the allow_other option.) You need<br />
# allow_other if you want users other than the owner to access a mounted fuse.<br />
# This option must appear on a line by itself. There is no value, just the<br />
# presence of the option.<br />
<br />
user_allow_other<br />
<br />
<br />
# mount_max = n - this option sets the maximum number of mounts.<br />
# Currently (2014) it must be typed exactly as shown<br />
# (with a single space before and after the equals sign).<br />
<br />
#mount_max = 1000<br />
<br />
}}<br />
<br />
====2. Configure {{ic|pam_mount}}====<br />
<br />
In {{ic|/etc/security/pam_mount.conf.xml}} add a new XML tag just before {{ic|</pam_mount>}}<br />
{{hc|head=/etc/security/pam_mount.conf.xml|output=<br />
...<br />
<br />
<volume user="''$user''" fstype="fuse" options="nodev,nosuid,quiet,nonempty,allow_other"<br />
path="/usr/bin/gocryptfs#/home/%(USER).cipher" mountpoint="/home/%(USER)" /><br />
<br />
</pam_mount><br />
}}<br />
<br />
====3. Configure PAM====<br />
<br />
Create {{ic|/etc/pam.d/homedirs}} to:<br />
{{hc|/etc/pam.d/homedirs|<br />
#%PAM-1.0<br />
<br />
auth optional pam_mount.so<br />
password optional pam_mount.so<br />
session required pam_mkhomedir.so<br />
session optional pam_mount.so<br />
}}<br />
<br />
Then edit {{ic|/etc/pam.d/system-local-login}} and {{ic|/etc/pam.d/system-remote-login}} to include the {{ic|homedirs}} file.<br />
{{hc|/etc/pam.d/system-local-login|<br />
%PAM-1.0<br />
<br />
auth include system-login<br />
auth include homedirs <br />
account include system-login<br />
account include homedirs<br />
password include system-login<br />
password include homedirs<br />
session include system-login<br />
session include homedirs<br />
<br />
}}<br />
<br />
{{hc|/etc/pam.d/system-remote-login|<br />
%PAM-1.0<br />
<br />
auth include system-login<br />
auth include homedirs <br />
account include system-login<br />
account include homedirs<br />
password include system-login<br />
password include homedirs<br />
session include system-login<br />
session include homedirs<br />
<br />
}}<br />
(source [https://wiki.archlinux.org/index.php/Talk:Pam_mount#automatic_unmounting_and_systemd])<br />
<br />
Logging in as the user will now cause the encrypted filesystem to be mounted transparently. Logging out will correspondingly unmount the encrypted filesystem.<br />
<br />
=== Securely delete the unencrypted home directory ===<br />
<br />
If it was not empty, the user's home directory was moved to ''$user''.old earlier. These unencrypted files need removing securely; otherwise the encryption protecting the data can be easily avoided by just looking in the other folder. These older files need deleting securely as well - simply performing {{ic|rm -rf ''$user''.old}} will not remove the file from disk completely, it will just remove the reference to it.<br />
<br />
Multiple tools exist that claim to delete files securely (most notably [[shred]]) but these come into conflict with the journaling functions of jornaling filesystems (such as Ext4). The secure deletion tool is trying to make it so that you ''can't'' recover your files whilst the journaled filesystem is trying to make sure that you ''can'' recover them.</div>Lukeus Maximushttps://wiki.archlinux.org/index.php?title=User:Lukeus_Maximus&diff=641906User:Lukeus Maximus2020-11-19T15:40:56Z<p>Lukeus Maximus: </p>
<hr />
<div>= Home directory encryption =<br />
<br />
One common use of stacked filesystem encryption is to encrypt a user's home directory.<br />
<br />
If the home directory exists on an [[Ext4]] filesystem then this form of [[Data-at-rest_encryption]] should be set up before any data is stored in the home directory (preferably just after creation). This is because Ext4 is a ''journaled'' filesystem; if existing unencrypted files are copied into the new encrypted directory, the old unencrypted version of the file is generally recoverable from the Ext4 filesystem. To make the old unencrypted versions of these files unrecoverable, a secure deletion technique must be used on them.<br />
<br />
This article covers the cases where the home directory is empty and where it already contains user data. <br />
<br />
== Example using gocryptfs ==<br />
<br />
Install [[gocryptfs]].<br />
<br />
=== Create new encrypted filesystem ===<br />
<br />
As root, create the directory {{ic|/home/''$user''.cipher}}:<br />
<br />
# mkdir /home/''$user''.cipher<br />
<br />
Change its permissions, owner, and group so that it matches those of the user's existing home directory:<br />
<br />
# chown ''$user'' /home/''$user''.cipher<br />
# chgrp ''$user'' /home/''$user''.cipher<br />
# chmod 700 /home/''$user''.cipher<br />
<br />
Then set up the encrypted filesystem using {{ic|gocryptfs}} on the {{ic|/home/''$user''.cipher}} directory:<br />
<br />
$ gocryptfs -init /home/''$user''.cipher<br />
<br />
When prompted, enter the password to be used for encryption. If you intend to set up [[#Auto-mounting on login|auto-mounting]], the password needs to be the same as the user's login password for it to work correctly. The process will finish by printing out the master key. Store the master key somewhere secure - it can be used to recover the filesystem data if the password is lost:<br />
<br />
{{bc|<br />
Choose a password for protecting your files.<br />
Password: <br />
Repeat:<br />
<br />
Your master key is:<br />
<br />
00000000-11111111-22222222-33333333-<br />
44444444-55555555-66666666-77777777<br />
<br />
If the gocryptfs.conf file becomes corrupted or you ever forget your password,<br />
there is only one hope for recovery: The master key. Print it to a piece of<br />
paper and store it in a drawer. This message is only printed once.<br />
The gocryptfs filesystem has been created successfully.<br />
You can now mount it using: gocryptfs /home/''$user''.cipher MOUNTPOINT<br />
}}<br />
<br />
If the user's home directory is empty, you can skip to configuring [[#Auto-mounting on login|auto-mounting]].<br />
<br />
=== Moving existing home directory files to encrypted filesystem ===<br />
<br />
You will need to mount the newly created encrypted filesystem and copy the entirety of the user's home directory into it. As each file is copied in, it is encrypted by {{ic|gocryptfs}}. To avoid any programs changing files in the user's home directory in the middle of the copy operation, the user must be logged out. Then, as root:<br />
<br />
'''1. Create the user's new home directory'''<br />
{{bc|<br />
# mv /home/''$user'' /home/''$user''.old<br />
# mkdir -m 700 /home/''$user''<br />
# chown ''$user'' /home/''$user''<br />
# chgrp ''$user'' /home/''$user''<br />
}}<br />
<br />
'''2. Mount the encrypted filesystem at the new home directory'''<br />
Enter the encryption password when prompted<br />
{{bc|<br />
# gocryptfs /home/''$user''.cipher /home/''$user''<br />
}}<br />
<br />
'''3. Copy all home directory files into the mounted filesystem'''<br />
<br />
(Using [[rsync]])<br />
{{bc|<br />
# rsync -av /home/''$user''.old /home/''$user''<br />
}}<br />
<br />
'''4. Unmount the filesystem'''<br />
{{bc|<br />
# fusermount -u /home/''$user''<br />
}}<br />
<br />
=== Auto-mounting on login ===<br />
<br />
If the user logs in without their home directory mounted, their session will not benefit from any shell profile files or any programs configured to run at login. Until the directory is mounted with {{ic|gocryptfs}}, the user's home directory will be empty. Generally then, it is highly desirable to have the encrypted home directory mount itself when the user logs in so that those things happen properly.<br />
<br />
This setup configures [[PAM]] and [[pam_mount]] so that the user's home directory is mounted as they authenticate. The authentication credentials (e.g. password) are passed to {{ic|pam_mount}} so that they can be used for the filesystem decryption. This requires that the encrypted filesystem be encrypted with the same password as the user uses for login.<br />
<br />
```1. Configure [[FUSE]]```<br />
Uncomment {{ic|user_allow_other}} in {{ic|/etc/fuse.conf}}:<br />
{{hc|head=/etc/fuse.conf|output=<br />
# The file /etc/fuse.conf allows for the following parameters:<br />
#<br />
# user_allow_other - Using the allow_other mount option works fine as root, in<br />
# order to have it work as user you need user_allow_other in /etc/fuse.conf as<br />
# well. (This option allows users to use the allow_other option.) You need<br />
# allow_other if you want users other than the owner to access a mounted fuse.<br />
# This option must appear on a line by itself. There is no value, just the<br />
# presence of the option.<br />
<br />
user_allow_other<br />
<br />
<br />
# mount_max = n - this option sets the maximum number of mounts.<br />
# Currently (2014) it must be typed exactly as shown<br />
# (with a single space before and after the equals sign).<br />
<br />
#mount_max = 1000<br />
<br />
}}<br />
<br />
```2. Configure {{ic|pam_mount}}```<br />
In {{ic|/etc/security/pam_mount.conf.xml}} add a new XML tag just before {{ic|</pam_mount>}}<br />
{{hc|head=/etc/security/pam_mount.conf.xml|output=<br />
...<br />
<br />
<volume user="''$user''" fstype="fuse" options="nodev,nosuid,quiet,nonempty,allow_other"<br />
path="/usr/bin/gocryptfs#/home/%(USER).cipher" mountpoint="/home/%(USER)" /><br />
<br />
</pam_mount><br />
}}<br />
<br />
'''3. Configure PAM'''<br />
Create {{ic|/etc/pam.d/homedirs}} to:<br />
{{hc|/etc/pam.d/homedirs|<br />
#%PAM-1.0<br />
<br />
auth optional pam_mount.so<br />
password optional pam_mount.so<br />
session required pam_mkhomedir.so<br />
session optional pam_mount.so<br />
}}<br />
<br />
Then edit {{ic|/etc/pam.d/system-local-login}} and {{ic|/etc/pam.d/system-remote-login}} to include the {{ic|homedirs}} file.<br />
{{hc|/etc/pam.d/system-local-login|<br />
%PAM-1.0<br />
<br />
auth include system-login<br />
auth include homedirs <br />
account include system-login<br />
account include homedirs<br />
password include system-login<br />
password include homedirs<br />
session include system-login<br />
session include homedirs<br />
<br />
}}<br />
<br />
{{hc|/etc/pam.d/system-remote-login|<br />
%PAM-1.0<br />
<br />
auth include system-login<br />
auth include homedirs <br />
account include system-login<br />
account include homedirs<br />
password include system-login<br />
password include homedirs<br />
session include system-login<br />
session include homedirs<br />
<br />
}}<br />
(source [https://wiki.archlinux.org/index.php/Talk:Pam_mount#automatic_unmounting_and_systemd])<br />
<br />
=== Securely delete unencrypted home copies ===<br />
<br />
Ext 4 makes this hard.</div>Lukeus Maximushttps://wiki.archlinux.org/index.php?title=User:Lukeus_Maximus&diff=641905User:Lukeus Maximus2020-11-19T15:38:58Z<p>Lukeus Maximus: </p>
<hr />
<div>= Home directory encryption =<br />
<br />
One common use of stacked filesystem encryption is to encrypt a user's home directory.<br />
<br />
If the home directory exists on an [[Ext4]] filesystem then this form of [[Data-at-rest_encryption]] should be set up before any data is stored in the home directory (preferably just after creation). This is because Ext4 is a ''journaled'' filesystem; if existing unencrypted files are copied into the new encrypted directory, the old unencrypted version of the file is generally recoverable from the Ext4 filesystem. To make the old unencrypted versions of these files unrecoverable, a secure deletion technique must be used on them.<br />
<br />
This article covers the cases where the home directory is empty and where it already contains user data. <br />
<br />
== Example using gocryptfs ==<br />
<br />
Install [[gocryptfs]].<br />
<br />
=== Create new encrypted filesystem ===<br />
<br />
As root, create the directory {{ic|/home/''$user''.cipher}}:<br />
<br />
# mkdir /home/''$user''.cipher<br />
<br />
Change its permissions, owner, and group so that it matches those of the user's existing home directory:<br />
<br />
# chown ''$user'' /home/''$user''.cipher<br />
# chgrp ''$user'' /home/''$user''.cipher<br />
# chmod 700 /home/''$user''.cipher<br />
<br />
Then set up the encrypted filesystem using {{ic|gocryptfs}} on the {{ic|/home/''$user''.cipher}} directory:<br />
<br />
$ gocryptfs -init /home/''$user''.cipher<br />
<br />
When prompted, enter the password to be used for encryption. If you intend to set up [[#Auto-mounting on login|auto-mounting]], the password needs to be the same as the user's login password for it to work correctly. The process will finish by printing out the master key. Store the master key somewhere secure - it can be used to recover the filesystem data if the password is lost:<br />
<br />
{{bc|<br />
Choose a password for protecting your files.<br />
Password: <br />
Repeat:<br />
<br />
Your master key is:<br />
<br />
00000000-11111111-22222222-33333333-<br />
44444444-55555555-66666666-77777777<br />
<br />
If the gocryptfs.conf file becomes corrupted or you ever forget your password,<br />
there is only one hope for recovery: The master key. Print it to a piece of<br />
paper and store it in a drawer. This message is only printed once.<br />
The gocryptfs filesystem has been created successfully.<br />
You can now mount it using: gocryptfs /home/''$user''.cipher MOUNTPOINT<br />
}}<br />
<br />
If the user's home directory is empty, you can skip to configuring [[#Auto-mounting on login|auto-mounting]].<br />
<br />
=== Moving existing home directory files to encrypted filesystem ===<br />
<br />
You will need to mount the newly created encrypted filesystem and copy the entirety of the user's home directory into it. As each file is copied in, it is encrypted by {{ic|gocryptfs}}. To avoid any programs changing files in the user's home directory in the middle of the copy operation, the user must be logged out. Then, as root:<br />
<br />
'''1. Create the user's new home directory'''<br />
{{bc|<br />
# mv /home/''$user'' /home/''$user''.old<br />
# mkdir -m 700 /home/''$user''<br />
# chown ''$user'' /home/''$user''<br />
# chgrp ''$user'' /home/''$user''<br />
}}<br />
<br />
'''2. Mount the encrypted filesystem at the new home directory'''<br />
Enter the encryption password when prompted<br />
{{bc|<br />
# gocryptfs /home/''$user''.cipher /home/''$user''<br />
}}<br />
<br />
'''3. Copy all home directory files into the mounted filesystem'''<br />
<br />
(Using [[rsync]])<br />
{{bc|<br />
# rsync -av /home/''$user''.old /home/''$user''<br />
}}<br />
<br />
'''4. Unmount the filesystem'''<br />
{{bc|<br />
# fusermount -u /home/''$user''<br />
}}<br />
<br />
=== Auto-mounting on login ===<br />
<br />
If the user logs in without their home directory mounted, their session will not benefit from any shell profile files or any programs configured to run at login. Until the directory is mounted with {{ic|gocryptfs}}, the user's home directory will be empty. Generally then, it is highly desirable to have the encrypted home directory mount itself when the user logs in so that those things happen properly.<br />
<br />
This setup configures [[PAM]] and [[pam_mount]] so that the user's home directory is mounted as they authenticate. The authentication credentials (e.g. password) are passed to {{ic|pam_mount}} so that they can be used for the filesystem decryption. This requires that the encrypted filesystem be encrypted with the same password as the user uses for login.<br />
<br />
```1. Configure [[FUSE]]```<br />
Uncomment {{ic|user_allow_other}} in {{ic|/etc/fuse.conf}}:<br />
{{hc|/etc/fuse.conf|<br />
# The file /etc/fuse.conf allows for the following parameters:<br />
#<br />
# user_allow_other - Using the allow_other mount option works fine as root, in<br />
# order to have it work as user you need user_allow_other in /etc/fuse.conf as<br />
# well. (This option allows users to use the allow_other option.) You need<br />
# allow_other if you want users other than the owner to access a mounted fuse.<br />
# This option must appear on a line by itself. There is no value, just the<br />
# presence of the option.<br />
<br />
user_allow_other<br />
<br />
<br />
# mount_max = n - this option sets the maximum number of mounts.<br />
# Currently (2014) it must be typed exactly as shown<br />
# (with a single space before and after the equals sign).<br />
<br />
#mount_max = 1000<br />
<br />
}}<br />
<br />
```2. Configure {{ic|pam_mount}}```<br />
In {{ic|/etc/security/pam_mount.conf.xml}} add a new XML tag just before {{ic|</pam_mount>}}<br />
{{hc|/etc/security/pam_mount.conf.xml|<br />
...<br />
<br />
<volume user="''$user''" fstype="fuse" options="nodev,nosuid,quiet,nonempty,allow_other"<br />
path="/usr/bin/gocryptfs#/home/%(USER).cipher" mountpoint="/home/%(USER)" /><br />
<br />
</pam_mount><br />
}}<br />
<br />
'''3. Configure PAM'''<br />
Create {{ic|/etc/pam.d/homedirs}} to:<br />
{{hc|/etc/pam.d/homedirs|<br />
#%PAM-1.0<br />
<br />
auth optional pam_mount.so<br />
password optional pam_mount.so<br />
session required pam_mkhomedir.so<br />
session optional pam_mount.so<br />
}}<br />
<br />
Then edit {{ic|/etc/pam.d/system-local-login}} and {{ic|/etc/pam.d/system-remote-login}} to include the {{ic|homedirs}} file.<br />
{{hc|/etc/pam.d/system-local-login|<br />
%PAM-1.0<br />
<br />
auth include system-login<br />
auth include homedirs <br />
account include system-login<br />
account include homedirs<br />
password include system-login<br />
password include homedirs<br />
session include system-login<br />
session include homedirs<br />
<br />
}}<br />
<br />
{{hc|/etc/pam.d/system-remote-login|<br />
%PAM-1.0<br />
<br />
auth include system-login<br />
auth include homedirs <br />
account include system-login<br />
account include homedirs<br />
password include system-login<br />
password include homedirs<br />
session include system-login<br />
session include homedirs<br />
<br />
}}<br />
(source [https://wiki.archlinux.org/index.php/Talk:Pam_mount#automatic_unmounting_and_systemd])<br />
<br />
=== Securely delete unencrypted home copies ===<br />
<br />
Ext 4 makes this hard.</div>Lukeus Maximushttps://wiki.archlinux.org/index.php?title=User:Lukeus_Maximus&diff=641900User:Lukeus Maximus2020-11-19T14:39:47Z<p>Lukeus Maximus: </p>
<hr />
<div>= Home directory encryption =<br />
<br />
One common use of stacked filesystem encryption is to encrypt a user's home directory.<br />
<br />
If the home directory exists on an [[Ext4]] filesystem then this form of [[Data-at-rest_encryption]] should be set up before any data is stored in the home directory (preferably just after creation). This is because Ext4 is a ''journaled'' filesystem; if existing unencrypted files are copied into the new encrypted directory, the old unencrypted version of the file is generally recoverable from the Ext4 filesystem. To make the old unencrypted versions of these files unrecoverable, a secure deletion technique must be used on them.<br />
<br />
This article covers the cases where the home directory is empty and where it already contains user data. <br />
<br />
== Example using gocryptfs ==<br />
<br />
Install [[gocryptfs]]. If the user's home directory is not empty, also install [[rsync]].<br />
<br />
As root, create the directory {{ic|/home/''$user''.cipher}}:<br />
<br />
# mkdir /home/''$user''.cipher<br />
<br />
Change its permissions, owner, and group so that it matches those of the user's existing home directory:<br />
<br />
# chown ''$user'' /home/''$user''.cipher<br />
# chgrp ''$user'' /home/''$user''.cipher<br />
# chmod 700 /home/''$user''.cipher<br />
<br />
Then set up the encrypted filesystem using {{ic|gocryptfs}} on the {{ic|/home/''$user''.cipher}} directory:<br />
<br />
$ gocryptfs -init /home/''$user''.cipher<br />
<br />
When prompted, enter the password to be used for encryption. If you intend to set up [[#Auto-mounting on login|auto-mounting]], the password needs to be the same as the user's login password for it to work correctly. The process will finish by printing out the master key. Store the master key somewhere secure - it can be used to recover the filesystem data if the password is lost:<br />
<br />
{{bc|<br />
Choose a password for protecting your files.<br />
Password: <br />
Repeat:<br />
<br />
Your master key is:<br />
<br />
00000000-11111111-22222222-33333333-<br />
44444444-55555555-66666666-77777777<br />
<br />
If the gocryptfs.conf file becomes corrupted or you ever forget your password,<br />
there is only one hope for recovery: The master key. Print it to a piece of<br />
paper and store it in a drawer. This message is only printed once.<br />
The gocryptfs filesystem has been created successfully.<br />
You can now mount it using: gocryptfs /home/''$user''.cipher MOUNTPOINT<br />
}}<br />
<br />
If the user's home directory is empty, you can skip to configuring [[#Auto-mounting on login|auto-mounting]].<br />
<br />
Otherwise, you will now need to mount the newly created encrypted filesystem and copy the entirety of the user's home directory into it. As each file is copied in, it is encrypted by {{ic|gocryptfs}}. To avoid any programs changing files in the user's home directory in the middle of the copy operation, the user must be logged out. Then, as root:<br />
<br />
# Create the user's new home directory:<br />
{{bc|<br />
# mv /home/''$user'' /home/''$user''.old<br />
# mkdir -m 700 /home/''$user''<br />
# chown ''$user'' /home/''$user''<br />
# chgrp ''$user'' /home/''$user''<br />
}}<br />
<br />
# Mount the encrypted filesystem at the new home directory (enter the encryption password when prompted):<br />
{{bc|<br />
# gocryptfs /home/''$user''.cipher /home/''$user''<br />
}}<br />
<br />
# Copy all home directory files into the mounted filesystem:<br />
{{bc|<br />
# rsync -av /home/''$user''.old /home/''$user''<br />
}}<br />
<br />
# Unmount the filesystem<br />
{{bc|<br />
# fusermount -u /home/''$user''<br />
}}<br />
<br />
=== Auto-mounting on login ===<br />
<br />
Requires that the fs be encrypted with login password.<br />
<br />
Uncomment variable in /etc/fuse.conf<br />
<br />
Edit /etc/security/pam_mount.conf.xml<br />
Create /etc/pam.d/homedirs<br />
Edit /etc/pam.d/system-local-login /etc/pam.d/system-remote-login<br />
<br />
=== Securely delete unencrypted home copies ===<br />
<br />
Ext 4 makes this hard.</div>Lukeus Maximushttps://wiki.archlinux.org/index.php?title=User:Lukeus_Maximus&diff=641889User:Lukeus Maximus2020-11-19T13:32:27Z<p>Lukeus Maximus: </p>
<hr />
<div>= Home directory encryption =<br />
<br />
One common use of stacked filesystem encryption is to encrypt a user's home directory.<br />
<br />
If the home directory exists on an [[Ext4]] filesystem then this form of [[Data-at-rest_encryption]] should be set up before any data is stored in the home directory (preferably just after creation). This is because Ext4 is a ''journaled'' filesystem; if existing unencrypted files are copied into the new encrypted directory, the old unencrypted version of the file is generally recoverable from the Ext4 filesystem. To make the old unencrypted versions of these files unrecoverable, a secure deletion technique must be used on them.<br />
<br />
This article covers the cases where the home directory is empty and where it already contains user data. <br />
<br />
== Example using gocryptfs ==<br />
<br />
Install [[gocryptfs]]. If the home directory is not empty, also install [[rsync]].<br />
<br />
As root, create the directory {{ic|/home/''$user''.cipher}}<br />
<br />
# mkdir /home/''$user''.cipher<br />
<br />
Change its permissions, owner, and group so that it matches that of the user's existing home directory.<br />
<br />
# chown ''$user'' /home/''$user''.cipher<br />
# chgrp ''$user'' /home/''$user''.cipher<br />
# chmod 700 /home/''$user''.cipher<br />
<br />
Then set up the encrypted filesystem using {{ic|gocryptfs}} on the {{ic|/home/''$user''.cipher}} directory.<br />
<br />
$ gocryptfs -init /home/''$user''.cipher<br />
<br />
When prompted, enter the password to be used for encryption. If you intend to set up auto-mounting, the password needs to be the same as the user's login password for it to work correctly. The process will finish by printing out the master key. Store the master key somewhere secure - it can be used to recover the filesystem data if the password is lost.<br />
<br />
<code><br />
Choose a password for protecting your files.<br />
Password: <br />
Repeat:<br />
<br />
Your master key is:<br />
<br />
00000000-11111111-22222222-33333333-<br />
44444444-55555555-66666666-77777777<br />
<br />
If the gocryptfs.conf file becomes corrupted or you ever forget your password,<br />
there is only one hope for recovery: The master key. Print it to a piece of<br />
paper and store it in a drawer. This message is only printed once.<br />
The gocryptfs filesystem has been created successfully.<br />
You can now mount it using: gocryptfs /home/''$user''.cipher MOUNTPOINT<br />
</code><br />
<br />
Logout of user and login as root<br />
As root in /home<br />
Move $user to $user.old<br />
Move $user.new to $user<br />
Mount .cipher to $user with gocryptfs<br />
Copy everything in with rsync -av<br />
Unmount $user with fusermount -u<br />
<br />
=== Auto-mounting on login ===<br />
<br />
Requires that the fs be encrypted with login password.<br />
<br />
Uncomment variable in /etc/fuse.conf<br />
<br />
Edit /etc/security/pam_mount.conf.xml<br />
Create /etc/pam.d/homedirs<br />
Edit /etc/pam.d/system-local-login /etc/pam.d/system-remote-login<br />
<br />
=== Securely delete unencrypted home copies ===<br />
<br />
Ext 4 makes this hard.</div>Lukeus Maximushttps://wiki.archlinux.org/index.php?title=User:Lukeus_Maximus&diff=641840User:Lukeus Maximus2020-11-18T16:39:04Z<p>Lukeus Maximus: Created page with "--- = Home directory encryption = One common use of stacked filesystem encryption is to encrypt a user's home directory. == Backup Home directory == Log out of user, log in..."</p>
<hr />
<div>---<br />
= Home directory encryption =<br />
<br />
One common use of stacked filesystem encryption is to encrypt a user's home directory.<br />
<br />
== Backup Home directory ==<br />
Log out of user, log in as root<br />
use {{ic|rsync}}<br />
<br />
== Using gocryptfs ==<br />
<br />
Install [[gocryptfs]]<br />
<br />
Create $user.cipher and $user.new directories in /home<br />
Change owner and group of both<br />
<br />
Set up gocryptfs in that directory as the user.<br />
Save master key somewhere<br />
Create empty directory at $user.new<br />
Mount $user.cipher to $user.new with gocryptfs<br />
<br />
<br />
As root, move user home to .old<br />
As user, <br />
Copy everything in with rsync<br />
<br />
<br />
=== Auto mounting on login ===<br />
<br />
Uncomment variable in /etc/fuse.conf<br />
<br />
Edit /etc/security/pam_mount.conf.xml<br />
Create /etc/pam.d/homedirs<br />
Edit /etc/pam.d/system-local-login /etc/pam.d/system-remote-login<br />
<br />
=== Remove unencrypted home copies ===</div>Lukeus Maximushttps://wiki.archlinux.org/index.php?title=I3&diff=457021I32016-11-17T18:29:24Z<p>Lukeus Maximus: /* Installation */ Added note about dmenu not being installed by default to un-confuse i3 users from other OSes.</p>
<hr />
<div>{{DISPLAYTITLE:i3}}<br />
[[Category:Tiling WMs]]<br />
[[Category:Dynamic WMs]]<br />
[[ja:i3]]<br />
[[ko:I3]]<br />
[[ru:I3]]<br />
[[zh-CN:I3]]<br />
{{Related articles start}}<br />
{{Related|Desktop environment}}<br />
{{Related|Display manager}}<br />
{{Related|File manager functionality}}<br />
{{Related|Window manager}}<br />
{{Related|Comparison of tiling window managers}}<br />
{{Related|Clipboard}}<br />
{{Related|Autostarting#Graphical}}<br />
{{Related articles end}}<br />
[http://i3wm.org/ i3] is a dynamic [[Wikipedia:Tiling window manager|tiling window manager]] inspired by [[wmii]] that is primarily targeted at developers and advanced users.<br />
<br />
The stated goals for i3 include clear documentation, proper multi-monitor support, a tree structure for windows, and different modes like in [[vim]].<br />
<br />
== Installation ==<br />
<br />
[[Install]] the {{Grp|i3}} [[Pacman#Installing package groups|package group]]. It includes the window manager {{Pkg|i3-wm}}, {{Pkg|i3status}} which writes a status line to i3bar through [[Wikipedia:Standard streams#Standard output (stdout)|stdout]], and {{Pkg|i3lock}}, a screen locker. If you want to use dmenu, you will need to install it separately.<br />
<br />
Additional packages are available in the [[Arch User Repository]]. See the section [[#Patches]] for examples.<br />
<br />
=== Display manager ===<br />
<br />
{{Pkg|i3-wm}} includes {{ic|i3.desktop}} as [[Xsession]] which starts the window manager. {{ic|i3-with-shmlog.desktop}} enables logs (useful for debugging). {{AUR|i3-gnome}} integrates {{ic|i3}} into [[GNOME]].<br />
<br />
=== xinitrc ===<br />
<br />
Edit [[Xinitrc]], and add:<br />
<br />
exec i3<br />
<br />
To log the output from i3, add this line instead:<br />
<br />
exec i3 -V >> ~/i3log-$(date +'%F-%k-%M-%S') 2>&1<br />
<br />
== Usage ==<br />
<br />
See the [http://i3wm.org/docs official documentation] for more information, namely the [http://i3wm.org/docs/userguide.html i3 User’s Guide].<br />
<br />
=== Keybindings ===<br />
<br />
In i3, commands are invoked with a modifier key, referred to as {{ic|$mod}}. This is {{ic|Alt}} (Mod1) by default, with {{ic|Super}} (Mod4) being a popular alternative. Super is the key usually represented on a keyboard as a Windows icon, or on an Apple keyboard as a Command key.<br />
<br />
See the [http://i3wm.org/docs/refcard.html i3 reference card] and [http://i3wm.org/docs/userguide.html#_using_i3 Using i3] for the defaults. See [http://i3wm.org/docs/userguide.html#keybindings Keyboard bindings] to add new shortcuts.<br />
<br />
Users of non-Qwerty keyboard layouts may wish to circumvent the "configuration wizard" as [[#Configuration wizard and alternative keyboard layouts|described below]].<br />
<br />
=== Containers ===<br />
<br />
i3 manages windows in a tree structure, with containers as building blocks. This structure branches with horizontal or vertical splits. Containers are tiled by default, but can be set to tabbed or stacked layouts, as well as made floating (such as for dialog windows). Floating windows are always on top.<br />
<br />
See [http://i3wm.org/docs/userguide.html#_tree i3 Tree] and [http://www.youtube.com/watch?v=AWA8Pl57UBY Containers and the tree data structure] for details.<br />
<br />
=== Application launcher ===<br />
<br />
i3 uses [[dmenu]] as an application launcher, which is bound by default to {{ic|$mod+d}}.<br />
<br />
{{Pkg|i3-wm}} contains ''i3-dmenu-desktop'', a [[Wikipedia:Perl|Perl]] wrapper for ''dmenu'' which uses [[desktop entries]] to create a list of all installed applications. Alternatively, the package {{AUR|j4-dmenu-desktop-git}} can be used.<br />
<br />
== Configuration ==<br />
<br />
See [http://i3wm.org/docs/userguide.html#configuring Configuring i3] for details. The rest of this article assumes the ''i3'' configuration file to be in the folder {{ic|~/.config}}.<br />
<br />
=== Configuration wizard and alternative keyboard layouts ===<br />
<br />
When ''i3'' is first started, it offers to run the configuration wizard ''i3-config-wizard''. This tool creates {{ic|~/.config/i3/config}} by rewriting a template configuration file in {{ic|/etc/i3/config.keycodes}}. It makes two modifications to the default template: <br />
<br />
# It asks the user to choose a default modifier key, which it adds to the template as a single line, like {{ic|set $mod Mod1}}; and <br />
# it replaces all ''bindcode'' lines with ''bindsym'' lines corresponding to the user's current keyboard layout.<br />
<br />
Step 2 is designed to ensure that the four navigation shortcuts, {{ic|j}}, {{ic|k}}, {{ic|l}} and "semicolon" on a Qwerty keyboard, will be mapped to keysyms which have the same location, e.g. {{ic|h}}, {{ic|t}}, {{ic|n}}, {{ic|s}} on a [[Dvorak]] keyboard. The side-effect of this magic is that up to fifteen other keysyms may be remapped in ways which break the mnemonics - so that, for a Dvorak user, "restart" is bound to {{ic|$mod1+p}} instead of {{ic|$mod1+r}}, "split horizontally" is bound to {{ic|$mod1+d}} instead of {{ic|$mod1+h}}, and so on.<br />
<br />
Therefore, users of alternate keyboard layouts who want straightforward key bindings, which match the bindings given in tutorials, may prefer to circumvent the "config wizard". This can be done by just copying {{ic|/etc/i3/config}} into {{ic|~/.config/i3/config}} (or {{ic|~/.i3/config}}), and editing that file.<br />
<br />
Note that a keycode-based configuration is also possible, e.g. for users who often switch between keyboard layouts, but want the i3 bindings to stay the same.<br />
<br />
=== Colorschemes ===<br />
<br />
The configuration file allows for customization of window decoration colors, but the syntax makes it impractical to create or share themes. There are several projects which make this easier and include a variety of user-contributed themes.<br />
<br />
* {{App|i3-style|Modifies your config in place from a theme stored in a JSON object, designed for frequently tweaking or changing a colorscheme|https://github.com/acrisci/i3-style|{{Aur|nodejs-i3-style}}{{Broken package link|{{aur-mirror|nodejs-i3-style}}}}}}<br />
* {{App|j4-make-config|Merge your config with a collection of themes or personal config parts, for example host-specific configuration, allowing quick changing of the theme and flexible, dynamic customization of the configuration|https://github.com/okraits/j4-make-config|{{Aur|j4-make-config-git}}}}<br />
<br />
=== i3bar ===<br />
<br />
In addition to showing workspace information, i3bar can act as an input for i3status or an alternative, such as those mentioned in the next section. For example:<br />
<br />
{{hc|~/.config/i3/config|2=<br />
bar {<br />
output LVDS1<br />
status_command i3status<br />
position top<br />
mode hide<br />
workspace_buttons yes<br />
tray_output none<br />
<br />
font -misc-fixed-medium-r-normal--13-120-75-75-C-70-iso10646-1<br />
<br />
colors {<br />
background #000000<br />
statusline #ffffff<br />
<br />
focused_workspace #ffffff #285577<br />
active_workspace #ffffff #333333<br />
inactive_workspace #888888 #222222<br />
urgent_workspace #ffffff #900000<br />
}<br />
}<br />
}}<br />
<br />
See the [http://i3wm.org/docs/userguide.html#_configuring_i3bar Configuring i3bar] for details.<br />
<br />
==== i3bar alternatives ====<br />
<br />
Some users may prefer panels such as those provided by conventional [[Desktop environment|Desktop Environments]]. This can be achieved within i3 by launching the panel application of choice during startup.<br />
<br />
For the [[Xfce#Panel|XFCE panel]]{{Broken section link}}, add the following line anywhere in {{ic|~/.config/i3/config}}:<br />
<br />
exec --no-startup-id xfce4-panel --disable-wm-check<br />
<br />
i3bar can be disabled by commenting the {{ic|<nowiki>bar{ }</nowiki>}} section of {{ic|~/.config/i3/config}}, or defining a keybind to toggle the bar:<br />
<br />
{{hc|~/.config/i3/config|<br />
# bar toggle, hide or show <br />
bindsym $mod+m bar mode toggle<br />
}}<br />
<br />
=== i3status ===<br />
<br />
Copy over the default configuration files to the home directory:<br />
<br />
$ cp /etc/i3status.conf ~/.config/i3status/config<br />
<br />
Not all plugins are defined in the default configuration and some configuration values may be invalid for your system, so the need to be updated accordingly. See {{ic|man i3status}} for details.<br />
<br />
==== i3status replacements ====<br />
<br />
* {{App|[[conky]]| Highly extensible system monitor. For usage with i3bar see [http://i3wm.org/docs/user-contributed/conky-i3bar.html this tutorial] |https://github.com/brndnmtthws/conky|{{Pkg|conky}}}}<br />
* {{App|[[i3blocks]]|Extensible via shell scripts. It can handle click events, interrupts, and defining of refresh intervals on a per-block basis.|https://github.com/vivien/i3blocks|{{AUR|i3blocks}}}}<br />
* {{App|i3pystatus|Extensible Python 3 status bar with many plugins and configuration options by default.|https://github.com/enkore/i3pystatus i3pystatus|{{AUR|i3pystatus-git}}}}<br />
* {{App|i3situation|Another Python 3 status bar generator.|https://github.com/HarveyHunt/i3situation|{{Aur|i3situation-git}}}}<br />
* {{App|j4status|Provides a statusline, configurable via plugins, and written in C. Extra plugins are provided by {{Aur|j4status-plugins-git}}.|http://j4status.j4tools.org/|{{Aur|j4status-git}}}}<br />
* {{App|goi3bar|i3status replacement written in Go. Configuration-file driven with several plugins, concurrency options, and rich plugin support.|https://github.com/denbeigh2000/goi3bar/|{{Aur|goi3bar-git}}}}<br />
* {{App|goblocks|Fast, lightweight i3status replacement written in Go.|https://github.com/davidscholberg/goblocks|{{Aur|goblocks}}}}<br />
* {{App|bumblebee-status|Theme-able Python status bar generator.|https://github.com/tobi-wan-kenobi/bumblebee-status}}<br />
* {{App|ty3status|i3status replacement written in Typescript. Built with first class support for javascript blocks.|https://github.com/mrkmg/ty3status|{{Aur|ty3status-git}}}}<br />
<br />
==== i3status wrappers ====<br />
<br />
* {{App|i3cat|A [[go]] based wrapper which can concatenate inputs from multiple external sources. It can handle click events and forwarding user specified signals to its subprocesses.|http://vincent-petithory.github.io/i3cat/|{{AUR|i3cat-git}}}}<br />
* {{App|py3status|An extensible i3status wrapper written in Python.|https://github.com/ultrabug/py3status|{{Aur|py3status}}}}<br />
<br />
==== Iconic fonts in the status bar ====<br />
<br />
''i3bar'' can be [[#Patches|patched]] for XBM icon support, but you can use iconic font sets instead.<br />
<br />
* {{App|ttf-font-awesome|Scalable vector icons that can be customized with CSS. A [http://fortawesome.github.io/Font-Awesome/cheatsheet/ cheatsheet] shows the Unicode point for each glyph.|http://fortawesome.github.io/Font-Awesome/|{{AUR|ttf-font-awesome}}}}<br />
* {{App|ttf-font-icons|Non-overlapping and consistently sized mix of Awesome and Ionicons. This also avoids minor overlapping between DejaVu Sans and Awesome.|http://kageurufu.net/icons.pdf|{{AUR|ttf-font-icons}}}}.<br />
<br />
To combine fonts, define a font fallback sequence in your configuration file, separating fonts with {{ic|,}} like so:<br />
{{hc|~/.config/i3/config|2=<br />
bar {<br />
...<br />
font pango:DejaVu Sans Mono, Icons 8<br />
...<br />
}<br />
}}<br />
<br />
In accordance with [https://developer.gnome.org/pango/stable/pango-Fonts.html#pango-font-description-from-string pango syntax], font size is specified only once, at the end of the comma-separated list of font families. Setting a size for each font would cause all but the last font to be ignored.<br />
<br />
Add icons to the format strings in {{ic|~/.config/i3status/config}} using the unicode numbers given in the cheatsheets linked above. The input method will vary between text editors. For instance, to insert the "heart" icon (unicode number f004):<br />
<br />
{{Merge|Internationalization|Should be described in one place; see also [[ArchWiki:Requests#Input methods]].}}<br />
<br />
* in various gui text editors (e.g. [[gedit]], Leafpad) and terminals (e.g. GNOME Terminal, xfce4-terminal): {{ic|ctrl+shift+u}}, {{ic|f004}}, {{ic|Enter}}<br />
* in [[Emacs]]: {{ic|ctrl+x}}, {{ic|8}}, {{ic|Enter}}, {{ic|f004}}, {{ic|Enter}}<br />
* in [[Vim]] (while in insert mode): {{ic|Ctrl+v}}, {{ic|uf004}}<br />
* in [[urxvt]]: while holding {{ic|Ctrl+Shift}}, type {{ic|f004}}<br />
<br />
=== Terminal emulator ===<br />
<br />
By default when pressing {{ic|$mod+Return}} it launches the {{ic|i3-sensible-terminal}} which is a script that invokes a terminal. See {{ic|man i3-sensible-terminal}} for the order terminals are invoked in.<br />
<br />
To instead launch a terminal of choice, modify this line in {{ic|~/.config/i3/config}}:<br />
<br />
bindsym $mod+Return exec i3-sensible-terminal<br />
<br />
Alternatively, set the {{ic|$TERMINAL}} [[environment variable]].<br />
<br />
== Tips and tricks ==<br />
<br />
=== Advanced window navigation ===<br />
<br />
See [http://www.slackword.net/?p=657 i3 window Navigation Tips].<br />
<br />
=== Jump to open window ===<br />
<br />
*{{App|quickswitch-i3|Python utility to quickly change to and locate windows in i3|https://github.com/proxypoke/quickswitch-for-i3|{{Aur|quickswitch-i3}}}}<br />
*{{App|i3-wm-scripts|search for and jump to windows with particular names matching regexp|https://github.com/yiuin/i3-wm-scripts||}}<br />
*{{App|winmenupy|Launches dmenu with a list of clients, sorted after workspaces. Selecting a client jumps to that window.|https://github.com/ziberna/i3-py/blob/master/examples/winmenu.py||}}<br />
*{{App|[[rofi]]|Search and jump to open and scratchpad window|https://davedavenport.github.io/rofi/|{{Pkg|rofi}}}}<br />
<br />
=== Jump to urgent window ===<br />
<br />
Add to {{ic|.i3/config}}: [https://faq.i3wm.org/question/853/how-to-jump-to-urgent-workspace/]<br />
<br />
bindsym $mod+x [urgent=latest] focus<br />
<br />
=== Save and restore the window layout ===<br />
<br />
From version 4.8, and onward ''i3'' can save and restore workspace layouts. To do this, the following packages are needed: {{Pkg|perl-anyevent-i3}} and {{Pkg|perl-json-xs}} from the [[official repositories]].<br />
<br />
{{note| This section only provides quick tutorial on how to save the current window layout of a single workspace and how to restore it for later use. Refer to the [http://i3wm.org/docs/layout-saving.html official documentation] for more details}}<br />
<br />
==== Save the current window layout of a single workspace ====<br />
<br />
To save the current window layout, follow these steps:<br />
<br />
# First, execute various commands to open windows in a preferred workspace and resize them if needed. Make sure to write down each executed command for each window.<br />
# Now, in a new workspace, open a terminal and run the following: {{bc|i3-save-tree --workspace N > ~/.i3/workspace_N.json}} where N is the number of the preferred workspace. This will save the current layout of workspace N to the file {{ic|~/.i3/workspace_N.json}}.<br />
# The newly created file needs to be edited, however this may be done with the following commands: {{bc|<nowiki>tail -n +2 ~/.i3/workspace_N.json | fgrep -v '// splitv' | sed 's|//||g' > ~/.i3/workspace_N.json</nowiki>}}<br />
<br />
==== Restore the window layout of the workspace ====<br />
<br />
There are two ways to restore the layout of the workspace: by writing a script, or by editing {{ic|~/.i3/config}} to automatically load the layout. In this section only the first case will be considered, refer to the [http://i3wm.org/docs/layout-saving.html#_restoring_the_layout official documentation] for the second case.<br />
<br />
To restore the saved layout in the previous section, write a file named {{ic|load_layout.sh}} with the following contents:<br />
<br />
* The starting lines:<br />
<br />
{{hc|head=~/load_layout.sh|output=<br />
#!/bin/bash<br />
i3-msg "workspace M; append_layout ~/.i3/workspace_N.json"<br />
}}<br />
<br />
where M is the number of the workspace in which you would like to load the previously saved layout and N is the number of workspace saved in the previous section.<br />
* And the commands used in the previous section to get the preferred windows, but enclosed in parentheses and with an ampersand appended before the last parentheses.<br />
<br />
For example, if the saved layout contained three {{ic|uxterm}} windows:<br />
<br />
{{hc|head=~/load_layout.sh|output=<br />
#!/bin/bash<br />
<br />
# First we append the saved layout of worspace N to workspace M<br />
i3-msg "workspace M; append_layout ~/.i3/workspace_N.json"<br />
<br />
# And finally we fill the containers with the programs they had<br />
(uxterm &)<br />
(uxterm &)<br />
(uxterm &)<br />
}}<br />
<br />
Then set the file as executable:<br />
<br />
chmod u+x ~/load_layout.sh<br />
<br />
And finally, the layout of worskpace N can be loaded onto to workspace M by running:<br />
<br />
~/load_layout.sh<br />
<br />
{{tip|Adding {{ic|bindsym $mod+g exec ~/load_layout.sh}} to {{ic|~/.i3/config}} and restarting i3 will bind Mod+g to run the above script.}}<br />
<br />
{{note|If the above script does not work properly, refer to the [http://i3wm.org/docs/layout-saving.html#_editing_layout_files official documentation]. The ''swallows'' sections of {{ic|~/.i3/workspace_N.json}} needs to be manually edited.}}<br />
<br />
=== Scratchpad containers ===<br />
<br />
By default, [http://i3wm.org/docs/userguide.html#_scratchpad scratchpads] only contain a single window. However, containers can also be made a scratchpad.<br />
<br />
Create a new container (for example, {{ic|Mod+Enter}}), split it ({{ic|Mod+v}}) and create another container. Focus the parent ({{ic|Mod+a}}), split in the opposite direction ({{ic|Mod+h}}), and create again. <br />
<br />
Focus the first container (with focus parent as needed), make the window floating ({{ic|Mod+Shift+Space}}), and move it to the scratchpad ({{ic|Mod+Shift+-}}). You can now split containers to preference.<br />
<br />
{{Note|Containers cannot be resized individually in floating windows. Resize the containers before making windows floating.}}<br />
{{Tip|When only using terminal applications, consider a multiplexer such as [[tmux]] instead.}}<br />
<br />
See also [https://faq.i3wm.org/question/138/multiple-scratchpad/i3] for multiple scratchpads.<br />
<br />
=== Screensaver and power management ===<br />
<br />
With [[Power management#xss-lock]] you can register a screenlocker for your i3 session. The {{ic|-time}} option locks the screen after a given time period.<br />
<br />
xautolock -time 10 -locker "i3lock -i 'background_image.png'" &<br />
<br />
A [[systemd]] service file can be used to lock the screen before the system is being sent to sleep or hibernation state. See [[Power management#Suspend/resume service files]]. Note that i3lock requires the type of the service to be {{ic|forking}}.<br />
<br />
See also [[DPMS]].<br />
<br />
=== Shutdown, reboot, lock screen ===<br />
<br />
Key combinations for shutdown, reboot and screenlock can be added to {{ic|~/.config/i3/config}}. The below example assumes you have {{Pkg|polkit}} installed to allow unprivileged users to run [[systemd#Power_management|power management]] commands.<br />
<br />
{{bc|<br />
set $Locker i3lock && sleep 1<br />
<br />
set $mode_system System (l) lock, (e) logout, (s) suspend, (h) hibernate, (r) reboot, (Shift+s) shutdown<br />
mode "$mode_system" {<br />
bindsym l exec --no-startup-id $Locker, mode "default"<br />
bindsym e exec --no-startup-id i3-msg exit, mode "default"<br />
bindsym s exec --no-startup-id $Locker && systemctl suspend, mode "default"<br />
bindsym h exec --no-startup-id $Locker && systemctl hibernate, mode "default"<br />
bindsym r exec --no-startup-id systemctl reboot, mode "default"<br />
bindsym Shift+s exec --no-startup-id systemctl poweroff -i, mode "default" <br />
<br />
# back to normal: Enter or Escape<br />
bindsym Return mode "default"<br />
bindsym Escape mode "default"<br />
}<br />
<br />
bindsym $mod+Pause mode "$mode_system"<br />
}}<br />
<br />
Once completed, you will be presented with a prompt whenever you press {{ic|$mod+pause}}. For more complex behaviour, use a separate script, and refer to it in the mode. [https://gist.github.com/anonymous/c8cd0a59bf4acb273068]<br />
<br />
{{Note|1=<br><br />
* {{ic|sleep 1}} adds a small delay to prevent possible race conditions with suspend [https://bugs.launchpad.net/ubuntu/+source/unity-2d/+bug/830348]<br />
* The {{ic|-i}} argument for {{ic|systemctl poweroff}} causes a shutdown even if other users are logged-in (this requires {{Pkg|polkit}}), or when ''logind'' (wrongly) assumes so. [https://bugs.freedesktop.org/show_bug.cgi?id=62676]<br />
}}<br />
<br />
For a list of alternative screen lockers, see [[List of applications/Security#Screen lockers]].<br />
<br />
===External displays manual management===<br />
<br />
Thanks to [[xrandr]] there are many ways to easily manage systems displays. The below example integrates it in the i3 config file, and behave as the Power Management section above.<br />
<br />
Here a laptop with both VGA and HDMI outputs will use a menu selection to switch them On/Off:<br />
<br />
## Manual management of external displays<br />
# Set the shortcuts and what they do<br />
set $mode_display Ext Screen (v) VGA ON, (h) HDMI ON, (x) VGA OFF, (y) HDMI OFF<br />
mode "$mode_display" {<br />
bindsym v exec --no-startup-id xrandr --output VGA1 --auto --right-of LVDS1, mode "default"<br />
bindsym h exec --no-startup-id xrandr --output HDMI1 --auto --right-of LVDS1, mode "default"<br />
bindsym x exec --no-startup-id xrandr --output VGA1 --auto --off, mode "default"<br />
bindsym y exec --no-startup-id xrandr --output HDMI1 --auto --off, mode "default"<br />
<br />
# back to normal: Enter or Escape<br />
bindsym Return mode "default"<br />
bindsym Escape mode "default"<br />
}<br />
# Declare here the shortcut to bring the display selection menu<br />
bindsym $mod+x mode "$mode_display"<br />
<br />
Any window that is still open in a switched Off display will automatically come back to the remaining active display.<br />
<br />
The simplest way to determine names of your devices is to plug the device you wish to use and run:<br />
<br />
$ xrandr --query<br />
<br />
which will output the available, recognized devices and their in-system names to set your config file appropriately. <br />
<br />
Refer to the [[xrandr]] page or man page for the complete list of available options, the [http://i3wm.org/docs/userguide.html i3 userguide] and/or the [https://www.reddit.com/r/i3wm i3 FAQ on reddit] for more info.<br />
<br />
=== Tabbed or stacked web-browsing ===<br />
<br />
Some web-browsers intentionally do not implement tabs, since managing tabs is considered to be the task of the window manager, not the task of the browser.<br />
<br />
To let i3 manage your tab-less web-browser, in this example for [[uzbl]], add the following line to your {{ic|~/.config/i3/config}}<br />
<br />
for_window [class="Uzbl-core"] focus child, layout stacking, focus<br />
<br />
This is for stacked web browsing, meaning that the windows will be shown vertically. The advantage over tabbed browsing is that the window-titles are fully visible, even if a lot of browser windows are open.<br />
<br />
If you prefer tabbed browsing, with windows in horizontal direction ('tabs'), use<br />
<br />
for_window [class="Uzbl-core"] focus child, layout tabbed, focus<br />
<br />
=== Workspace variables ===<br />
<br />
As workspaces are defined multiple times in i3, assigning workspace variables can be helpful. For example:<br />
<br />
set $WS1 term<br />
set $WS2 web<br />
set $WS3 misc<br />
set $WS4 media<br />
set $WS5 code<br />
<br />
Then replace workspace names with their matching variables:<br />
<br />
bindsym $mod+1 workspace $WS1<br />
...<br />
bindsym $mod+Shift+1 move container to workspace $WS1<br />
<br />
See [http://i3wm.org/docs/userguide.html#_changing_named_workspaces_moving_to_workspaces Changing named workspaces] for more information.<br />
<br />
=== Correct handling of floating dialogs ===<br />
<br />
While dialogs should open in floating mode by default [http://i3wm.org/docs/userguide.html#_floating], many still open in tiling mode. To change this behaviour, check the dialog's {{ic|WM_WINDOW_ROLE}} with {{pkg|xorg-xprop}} and add the correct rules to {{ic|~/.i3/config}} (using [http://www.pcre.org/ pcre] syntax):<br />
<br />
for_window [window_role="pop-up"] floating enable<br />
for_window [window_role="task_dialog"] floating enable<br />
<br />
You can also use title rules and regular expressions:<br />
<br />
for_window [title="Preferences$"] floating enable<br />
<br />
or {{ic|WM_CLASS}}:<br />
<br />
for_window [class="(?i)mplayer"] floating enable<br />
<br />
=== Network Download/Upload speed on statusbar ===<br />
<br />
You might adapt this upstream [http://code.stapelberg.de/git/i3status/tree/contrib/measure-net-speed.bash script]. For that,<br />
<br />
* rename both network cards according to your system (use {{ic|ip addr}})<br />
* find them on {{ic|/sys/devices}} then replace them appropriately:<br />
$ find /sys/devices -name ''network_interface''<br />
<br />
{{Tip|Use {{ic|/sys/class/net/''interface''/statistics/}} to not depend on PCI location.}}<br />
<br />
Now, just save the script in a suitable place (for example {{ic|~/.config/i3}}) and point your status program to it.<br />
<br />
== Patches ==<br />
<br />
{{Merge|#Installation|One package does not warrant a separate section}}<br />
<br />
Packages with patches not merged upstream are available in the [[AUR]]:<br />
<br />
* {{App|i3-wm-iconpatch|Titlebar icon support|https://github.com/ashinkarov/i3-extras|{{AUR|i3-wm-iconpatch}}}}<br />
<br />
== Troubleshooting ==<br />
<br />
=== General ===<br />
<br />
In many cases, bugs are fixed in the development versions {{AUR|i3-git}} and {{AUR|i3status-git}}, and upstream will ask to reproduce any errors with this version. [http://i3wm.org/docs/debugging.html] See also [[Debug - Getting Traces#General]].<br />
<br />
=== Buttons in the i3 message bar do not work ===<br />
<br />
Buttons such as "Edit config" in {{ic|i3-nagbar}} call {{ic|i3-sensible-terminal}}, so make sure your [[#Terminal_emulator|Terminal emulator]] is recognized by i3.<br />
<br />
=== Faulty line wraps in tiled terminals ===<br />
<br />
i3 v4.3 and higher ignore size increment hints for tiled windows [https://www.mail-archive.com/i3-discuss@i3.zekjur.net/msg00709.html]. This may cause terminals to wrap lines prematurely, amongst other issues. As a workaround, make the offending window floating, before tiling it again.<br />
<br />
=== Mouse cursor remains in waiting mode ===<br />
<br />
When starting a script or application which does not support startup notifications, the mouse cursor will remain in busy/watch/clock mode for 60 seconds.<br />
<br />
To solve this for a particlar application, use the {{ic|--no-startup-id}} parameter, for example:<br />
exec --no-startup-id ~/script<br />
bindsym $mod+d exec --no-startup-id dmenu_run<br />
<br />
To disable this animation globally, see [[Cursor themes#Create links to missing cursors]].<br />
<br />
=== Unresponsive key bindings ===<br />
<br />
Some tools such as [[Taking_a_screenshot#scrot|scrot]] may not work when used with a regular key binding (executed after key press). In those cases, execute commands after key release with the {{ic|--release}} argument [http://i3wm.org/docs/userguide.html#keybindings]:<br />
<br />
bindsym --release Print exec --no-startup-id scrot<br />
bindsym --release Shift+Print exec --no-startup-id scrot -s<br />
<br />
=== Tearing ===<br />
<br />
i3 does [https://github.com/i3/i3/issues/661 not properly implement double buffering] hence tearing or flickering may occur. To prevent this, install and configure [[compton]]. [https://faq.i3wm.org/question/3279/do-i-need-a-composite-manager-compton.1#post-id-3282]<br />
<br />
=== Tray icons not visible ===<br />
<br />
The {{ic|tray_output primary}} directive may require setting a primary output with ''xrandr'', specifying the output explicitly or simply removing this directive. [https://github.com/i3/i3/issues/1144] See [[Xrandr]] for details. The default configuration created by i3-config-wizard no longer adds this directive to the configuration from i3 4.12.<br />
<br />
== See also ==<br />
<br />
* [http://i3wm.org Official website]<br />
* [http://www.funtoo.org/I3_Tiling_Window_Manager funtoo Wiki]<br />
* [http://code.stapelberg.de/git/i3 i3 Source code]<br />
* [https://github.com/ashinkarov/i3-extras i3-extras] - Collection of scripts and patches<br />
* [https://github.com/acrisci/i3ipc-glib i3ipc-glib] - A library for i3 extensions<br />
* [https://github.com/veelenga/i3ipc-ruby i3ipc-ruby] - An improved library for i3 extensions in Ruby<br />
* [http://www.j4tools.org/ j4tools] - non-official tools designed to work with i3<br />
<br />
'''Arch Linux Forums'''<br />
* [https://bbs.archlinux.org/viewtopic.php?id=99064 The i3 thread] - A general discussion about i3<br />
* [https://bbs.archlinux.org/viewtopic.php?id=103369 i3 desktop screenshots and config sharing]<br />
<br />
'''Screencasts'''<br />
* [http://www.youtube.com/watch?v=Wx0eNaGzAZU i3 window manager v4.1 screencast]<br />
* [https://www.youtube.com/watch?v=j1I63wGcvU4&index=1&list=PL5ze0DjYv5DbCv9vNEzFmP6sU7ZmkGzcf i3 window manager v4.1X screencasts]</div>Lukeus Maximus