| I'm sorry this is wrong. Full disk encryption combined with locking said encryption on suspend secures a machine from trivial invasions of privacy while not in use or theft of the machine. Cron implementations and individual jobs can intelligently figure out how to handle missed jobs while the machine was off or suspended. Example doing the missed job once at some interval after resuming, doing it per runtime interval instead of per calendar interval, just doing the next scheduled interval. Systemd has its own cron type implementation called timers and I'm sure it logically would work user jobs in at times the user is logged in, in the same way cron works around the fact that the user is sometimes suspended or off for indeterminate time frames. In most cases it wont even have to. Most users machines have a lifecycle like this POST 15 seconds
Optional FDE passphrase entry 10 seconds
Starting up 30 seconds to 2 minutes
User login 10 seconds
Operation some duration for hours to weeks
Shutdown The encrypted and or logged out state are transitory states on the way to the machines single owner entering credentials to access the device and the machine is only in those states 0.001% of its lifecycle. For people worried about substantial secrets as opposed to a thief stealing their personal data it may be wise to segregate THAT data on a separate encrypted volume that is only unlocked during use so that opening up your machine to watch cat videos on Youtube doesn't expose thousands of patient records or company secrets. Cron is only incompatible with homedir encryption if your scheme relies on time sensitive things which effect things OFF your computer happening ON your machine which is powered on frequently enough but not logged in as you sufficiently to complete the tasks it must also require data on your home dir to complete. I say it has to be factors that effect off computer items because otherwise the task can simply be done as soon as you log in. I say it must require data on your home dir to complete else your system can be told to do it for you. For the small number of cases where one might imagine a shared computer might be turned on enough but logged in as other users one can imagine ignoring homedir encyption and simply using FDE with multiple passphrases for individual users. This will necessarily be less secure as all users would be constrained by permissions by able to break into other users local data. At this point we have identified the use case that is actually incompatible. Shared computers with privileged local data with mutually untrustworthy users on which users need to regularly run tasks which require access to user data regardless of who is logged in. The logical solution to which is a server, segregation to be provided by different virtual machines if needed. |