homectl(1) — Linux manual page


HOMECTL(1)                         homectl                        HOMECTL(1)

NAME         top

       homectl - Create, remove, change or inspect home directories

SYNOPSIS         top

       homectl [OPTIONS...] {COMMAND} [NAME...]

DESCRIPTION         top

       homectl may be used to create, remove, change or inspect a user's
       home directory. It's primarily a command interfacing with
       systemd-homed.service(8) which manages home directories of users.

       Home directories managed by systemd-homed.service are self-contained,
       and thus include the user's full metadata record in the home's data
       storage itself, making them easy to migrate between machines. In
       particular, a home directory describes a matching user record, and
       every user record managed by systemd-homed.service also implies
       existence and encapsulation of a home directory. The user account and
       home directory become the same concept.

       The following backing storage mechanisms are supported:

       •   An individual LUKS2 encrypted loopback file for a user, stored in
           /home/*.home. At login the file system contained in this files is
           mounted, after the LUKS2 encrypted volume has been attached. The
           user's password is identical to the encryption passphrase of the
           LUKS2 volume. Access to data without preceding user
           authentication is thus not possible, even for the system
           administrator. This storage mechanism provides the strongest data
           security and is thus recommended.

       •   Similar, but the LUKS2 encrypted file system is located on
           regular block device, such as an USB storage stick. In this mode
           home directories and all data they include are nicely migratable
           between machines, simply by plugging the USB stick into different
           systems at different times.

       •   An encrypted directory using "fscrypt" on file systems that
           support it (at the moment this is primarily "ext4"), located in
           /home/*.homedir. This mechanism also provides encryption, but
           substantially weaker than LUKS2, as most file system metadata is
           unprotected. Moreover it currently does not support changing user
           passwords once the home directory has been created.

       •   A "btrfs" subvolume for each user, also located in
           /home/*.homedir. This provides no encryption, but good quota

       •   A regular directory for each user, also located in
           /home/*.homedir. This provides no encryption, but is a suitable
           fallback available on all machines, even where LUKS2, "fscrypt"
           or "btrfs" support is not available.

       •   An individual Windows file share (CIFS) for each user.

       Note that systemd-homed.service and homectl will not manage "classic"
       UNIX user accounts as created with useradd(8) or similar tools. In
       particular, this functionality is not suitable for managing system
       users (i.e. users with a UID below 1000) but is exclusive to regular
       ("human") users.

       Note that users/home directories managed via systemd-homed.service do
       not show up in /etc/passwd and similar files, they are synthesized
       via glibc NSS during runtime. They are thus resolvable and may be
       enumerated via the getent(1) tool.

       This tool interfaces directly with systemd-homed.service, and may
       execute specific commands on the home directories it manages. Since
       every home directory managed that way also defines a JSON user and
       group record these home directories may also be inspected and
       enumerated via userdbctl(1).

       Home directories managed by systemd-homed.service are usually in one
       of two states, or in a transition state between them: when "active"
       they are unlocked and mounted, and thus accessible to the system and
       its programs; when "inactive" they are not mounted and thus not
       accessible. Activation happens automatically at login of the user and
       usually can only complete after a password (or other authentication
       token) has been supplied. Deactivation happens after the user fully
       logged out. A home directory remains active as long as the user is
       logged in at least once, i.e. has at least one login session. When
       the user logs in a second time simultaneously the home directory
       remains active. It is deactivated only after the last of the user's
       sessions ends.

OPTIONS         top

       The following general options are understood (further options that
       control the various properties of user records managed by
       systemd-homed.service are documented further down):

           Read the user's JSON record from the specified file. If passed as
           "-" read the user record from standard input. The supplied JSON
           object must follow the structure documented in JSON User
           Records[1]. This option may be used in conjunction with the
           create and update commands (see below), where it allows
           configuring the user record in JSON as-is, instead of setting the
           individual user record properties (see below).

       --json=FORMAT, -J
           Controls whether to output the user record in JSON format, if the
           inspect command (see below) is used. Takes one of "pretty",
           "short" or "off". If "pretty" human-friendly whitespace and
           newlines are inserted in the output to make the JSON data more
           readable. If "short" all superfluous whitespace is suppressed. If
           "off" (the default) the user information is not shown in JSON
           format but in a friendly human readable formatting instead. The
           -J option picks "pretty" when run interactively and "short"

       --export-format=FORMAT, -E, -EE
           When used with the inspect verb in JSON mode (see above) may be
           used to suppress certain aspects of the JSON user record on
           output. Specifically, if "stripped" format is used the binding
           and runtime fields of the record are removed. If "minimal" format
           is used the cryptographic signature is removed too. If "full"
           format is used the full JSON record is shown (this is the
           default). This option is useful for copying an existing user
           record to a different system in order to create a similar user
           there with the same settings. Specifically: homectl inspect -EE |
           ssh root@othersystem homectl create -i- may be used as simple
           command line for replicating a user on another host.  -E is
           equivalent to -j --export-format=stripped, -EE to -j
           --export-format=minimal. Note that when replicating user accounts
           user records acquired in "stripped" mode will retain the original
           cryptographic signatures and thus may only be modified when the
           private key to update them is available on the destination
           machine. When replicating users in "minimal" mode, the signature
           is removed during the replication and thus the record will be
           implicitly signed with the key of the destination machine and may
           be updated there without any private key replication.

       -H, --host=
           Execute the operation remotely. Specify a hostname, or a username
           and hostname separated by "@", to connect to. The hostname may
           optionally be suffixed by a port ssh is listening on, separated
           by ":", and then a container name, separated by "/", which
           connects directly to a specific container on the specified host.
           This will use SSH to talk to the remote machine manager instance.
           Container names may be enumerated with machinectl -H HOST. Put
           IPv6 addresses in brackets.

       -M, --machine=
           Execute operation on a local container. Specify a container name
           to connect to.

           Do not pipe output into a pager.

           Do not print the legend, i.e. column headers and the footer with

           Do not query the user for authentication for privileged

       -h, --help
           Print a short help text and exit.

           Print a short version string and exit.


       The following options control various properties of the user
       records/home directories that systemd-homed.service manages. These
       switches may be used in conjunction with the create and update
       commands for configuring various aspects of the home directory and
       the user account:

       --real-name=NAME, -c NAME
           The real name for the user. This corresponds with the GECOS field
           on classic UNIX NSS records.

           The realm for the user. The realm associates a user with a
           specific organization or installation, and allows distinguishing
           users of the same name defined in different contexts. The realm
           can be any string that also qualifies as valid DNS domain name,
           and it is recommended to use the organization's or installation's
           domain name for this purpose, but this is not enforced nor
           required. On each system only a single user of the same name may
           exist, and if a user with the same name and realm is seen it is
           assumed to refer to the same user while a user with the same name
           but different realm is considered a different user. Note that
           this means that two users sharing the same name but with distinct
           realms are not allowed on the same system. Assigning a realm to a
           user is optional.

           Takes an electronic mail address to associate with the user. On
           log-in the $EMAIL environment variable is initialized from this

           Takes location specification for this user. This is free-form
           text, which might or might not be usable by geo-location
           applications. Example: --location="Berlin, Germany" or
           --location="Basement, Room 3a"

           Takes an icon name to associate with the user, following the
           scheme defined by the Icon Naming Specification[2].

       --home-dir=PATH, -dPATH
           Takes a path to use as home directory for the user. Note that
           this is the directory the user's home directory is mounted to
           while the user is logged in. This is not where the user's data is
           actually stored, see --image-path= for that. If not specified
           defaults to /home/$USER.

           Takes a preferred numeric UNIX UID to assign this user. If a user
           is to be created with the specified UID and it is already taken
           by a different user on the local system then creation of the home
           directory is refused. Note though, if after creating the home
           directory it is used on a different system and the configured UID
           is taken by another user there, then systemd-homed may assign the
           user a different UID on that system. The specified UID must be
           outside of the system user range. It is recommended to use the
           60001...60513 UID range for this purpose. If not specified, the
           UID is automatically picked. If the home directory is found to be
           owned by a different UID when logging in, the home directory and
           everything underneath it will have its ownership changed
           automatically before login completes.

           Note that users managed by systemd-homed always have a matching
           group associated with the same name as well as a GID matching the
           UID of the user. Thus, configuring the GID separately is not

       --member-of=GROUP, -G GROUP
           Takes a comma-separated list of auxiliary UNIX groups this user
           shall belong to. Example: --member-of=wheel to provide the user
           with administrator privileges. Note that systemd-homed does not
           manage any groups besides a group matching the user in name and
           numeric UID/GID. Thus any groups listed here must be registered
           independently, for example with groupadd(8). Any non-existent
           groups are ignored. This option may be used more than once, in
           which case all specified group lists are combined. If the user is
           currently a member of a group which is not listed, the user will
           be removed from the group.

           Takes a file system path to a directory. Specifies the skeleton
           directory to initialize the home directory with. All files and
           directories in the specified path are copied into any newly
           create home directory. If not specified defaults to /etc/skel/.

           Takes a file system path. Specifies the shell binary to execute
           on terminal logins. If not specified defaults to /bin/bash.

           Takes an environment variable assignment to set for all user
           processes. Note that a number of other settings also result in
           environment variables to be set for the user, including --email=,
           --timezone= and --language=. May be used multiple times to set
           multiple environment variables.

           Takes a time zone location name that sets the timezone for the
           specified user. When the user logs in the $TZ environment
           variable is initialized from this setting. Example:
           --timezone=Europe/Amsterdam will result in the environment
           variable "TZ=:Europe/Amsterdam". (":" is used intentionally as
           part of the timezone specification, see tzset(3).)

           Takes a specifier indicating the preferred language of the user.
           The $LANG environment variable is initialized from this value on
           login, and thus a value suitable for this environment variable is
           accepted here, for example --language=de_DE.UTF8.

           Either takes a SSH authorized key line to associate with the user
           record or a "@" character followed by a path to a file to read
           one or more such lines from. SSH keys configured this way are
           made available to SSH to permit access to this home directory and
           user record. This option may be used more than once to configure
           multiple SSH keys.

           Takes an RFC 7512 PKCS#11 URI referencing a security token (e.g.
           YubiKey or PIV smartcard) that shall be able to unlock the user
           account. The security token URI should reference a security token
           with exactly one pair of X.509 certificate and private key. A
           random secret key is then generated, encrypted with the public
           key of the X.509 certificate, and stored as part of the user
           record. At login time it is decrypted with the PKCS#11 module and
           then used to unlock the account and associated resources. See
           below for an example how to set up authentication with a security

           Instead of a valid PKCS#11 URI, the special strings "list" and
           "auto" may be specified. If "list" is passed, a brief table of
           suitable, currently plugged in PKCS#11 hardware tokens is shown,
           along with their URIs. If "auto" is passed, a suitable PKCS#11
           hardware token is automatically selected (this operation will
           fail if there isn't exactly one suitable token discovered). The
           latter is a useful shortcut for the most common case where a
           single PKCS#11 hardware token is plugged in.

           Note that many hardware security tokens implement both
           PKCS#11/PIV and FIDO2 with the "hmac-secret" extension (for
           example: the YubiKey 5 series), as supported with the
           --fido2-device= option below. Both mechanisms are similarly
           powerful, though FIDO2 is the more modern technology. PKCS#11/PIV
           tokens have the benefit of being recognizable before
           authentication and hence can be used for implying the user
           identity to use for logging in, which FIDO2 does not allow.
           PKCS#11/PIV devices generally require initialization (i.e.
           storing a private/public key pair on them, see example below)
           before they can be used; FIDO2 security tokens generally do not
           required that, and work out of the box.

           Takes a path to a Linux "hidraw" device (e.g.  /dev/hidraw1),
           referring to a FIDO2 security token implementing the
           "hmac-secret" extension that shall be able to unlock the user
           account. A random salt value is generated on the host and passed
           to the FIDO2 device, which calculates a HMAC hash of the salt
           using an internal secret key. The result is then used as the key
           to unlock the user account. The random salt is included in the
           user record, so that whenever authentication is needed it can be
           passed to the FIDO2 token again.

           Instead of a valid path to a FIDO2 "hidraw" device the special
           strings "list" and "auto" may be specified. If "list" is passed,
           a brief table of suitable discovered FIDO2 devices is shown. If
           "auto" is passed, a suitable FIDO2 token is automatically
           selected, if exactly one is discovered. The latter is a useful
           shortcut for the most common case where a single FIDO2 hardware
           token is plugged in.

           Note that FIDO2 devices suitable for this option must implement
           the "hmac-secret" extension. Most current devices (such as the
           YubiKey 5 series) do. If the extension is not implemented the
           device cannot be used for unlocking home directories.

           Note that many hardware security tokens implement both FIDO2 and
           PKCS#11/PIV (and thus may be used with either --fido2-device= or
           --pkcs11-token-uri=), for a discussion see above.

           Accepts a boolean argument. If enabled a recovery key is
           configured for the account. A recovery key is a computer
           generated access key that may be used to regain access to an
           account if the password has been forgotten or the authentication
           token lost. The key is generated and shown on screen, and should
           be printed or otherwise transferred to a secure location. A
           recovery key may be entered instead of a regular password to
           unlock the account.

           Takes a boolean argument. Specifies whether this user account
           shall be locked. If true logins into this account are prohibited,
           if false (the default) they are permitted (of course, only if
           authorization otherwise succeeds).

       --not-before=TIMESTAMP, --not-after=TIMESTAMP
           These options take a timestamp string, in the format documented
           in systemd.time(7) and configures points in time before and after
           logins into this account are not permitted.

       --rate-limit-interval=SECS, --rate-limit-burst=NUMBER
           Configures a rate limit on authentication attempts for this user.
           If the user attempts to authenticate more often than the
           specified number, on a specific system, within the specified time
           interval authentication is refused until the time interval
           passes. Defaults to 10 times per 1min.

           Takes a password hint to store alongside the user record. This
           string is stored accessible only to privileged users and the user
           itself and may not be queried by other users. Example:
           --password-hint="My first pet's name".

       --enforce-password-policy=BOOL, -P
           Takes a boolean argument. Configures whether to enforce the
           system's password policy for this user, regarding quality and
           strength of selected passwords. Defaults to on.  -P is short for

           Takes a boolean argument. If true the user is asked to change
           their password on next login.

       --password-change-min=TIME, --password-change-max=TIME,
       --password-change-warn=TIME, --password-change-inactive=TIME
           Each of these options takes a time span specification as argument
           (in the syntax documented in systemd.time(7)) and configures
           various aspects of the user's password expiration policy.
           Specifically, --password-change-min= configures how much time has
           to pass after changing the password of the user until the
           password may be changed again. If the user tries to change their
           password before this time passes the attempt is refused.
           --password-change-max= configures how soon after it has been
           changed the password expires and needs to be changed again. After
           this time passes logging in may only proceed after the password
           is changed.  --password-change-warn= specifies how much earlier
           than then the time configured with --password-change-max= the
           user is warned at login to change their password as it will
           expire soon. Finally --password-change-inactive= configures the
           time which has to pass after the password as expired until the
           user is not permitted to log in or change the password anymore.
           Note that these options only apply to password authentication,
           and do not apply to other forms of authentication, for example
           PKCS#11-based security token authentication.

           Either takes a size in bytes as argument (possibly using the
           usual K, M, G, ... suffixes for 1024 base values), or a
           percentage value and configures the disk space to assign to the
           user. If a percentage value is specified (i.e. the argument
           suffixed with "%") it is taken relative to the available disk
           space of the backing file system. If the LUKS2 backend is used
           this configures the size of the loopback file and file system
           contained therein. For the other storage backends configures disk
           quota using the filesystem's native quota logic, if available. If
           not specified, defaults to 85% of the available disk space for
           the LUKS2 backend and to no quota for the others.

           Takes a UNIX file access mode written in octal. Configures the
           access mode of the home directory itself. Note that this is only
           used when the directory is first created, and the user may change
           this any time afterwards. Example: --access-mode=0700

           Takes the access mode mask (in octal syntax) to apply to newly
           created files and directories of the user ("umask"). If set this
           controls the initial umask set for all login sessions of the
           user, possibly overriding the system's defaults.

           Takes the numeric scheduling priority ("nice level") to apply to
           the processes of the user at login time. Takes a numeric value in
           the range -20 (highest priority) to 19 (lowest priority).

           Allows configuration of resource limits for processes of this
           user, see getrlimit(2) for details. Takes a resource limit name
           (e.g.  "LIMIT_NOFILE") followed by an equal sign, followed by a
           numeric limit. Optionally, separated by colon a second numeric
           limit may be specified. If two are specified this refers to the
           soft and hard limits, respectively. If only one limit is
           specified the setting sets both limits in one.

           Takes a non-zero unsigned integer as argument. Configures the
           maximum numer of tasks (i.e. threads, where each process is at
           least one thread) the user may have at any given time. This limit
           applies to all tasks forked off the user's sessions, even if they
           change user identity via su(1) or a similar tool. Use
           --rlimit=LIMIT_NPROC= to place a limit on the tasks actually
           running under the UID of the user, thus excluding any child
           processes that might have changed user identity. This controls
           the TasksMax= setting of the per-user systemd slice unit
           user-$UID.slice. See systemd.resource-control(5) for further

       --memory-high=BYTES, --memory-max=BYTES
           Set a limit on the memory a user may take up on a system at any
           given time in bytes (the usual K, M, G, ... suffixes are
           supported, to the base of 1024). This includes all memory used by
           the user itself and all processes they forked off that changed
           user credentials. This controls the MemoryHigh= and MemoryMax=
           settings of the per-user systemd slice unit user-$UID.slice. See
           systemd.resource-control(5) for further details.

       --cpu-weight=WEIGHT, --io-weight=WEIGHT
           Set CPU and IO scheduling weights of the processes of the user,
           including those of processes forked off by the user that changed
           user credentials. Takes a numeric value in the range 1...10000.
           This controls the CPUWeight= and IOWeight= settings of the
           per-user systemd slice unit user-$UID.slice. See
           systemd.resource-control(5) for further details.

           Selects the storage mechanism to use for this home directory.
           Takes one of "luks", "fscrypt", "directory", "subvolume", "cifs".
           For details about these mechanisms, see above. If a new home
           directory is created and the storage type is not specifically
           specified, homed.conf(5) defines which default storage to use.

           Takes a file system path. Configures where to place the user's
           home directory. When LUKS2 storage is used refers to the path to
           the loopback file, otherwise to the path to the home directory
           (which may be in /home/ or any other accessible filesystem). When
           unspecified defaults to /home/$USER.home when LUKS storage is
           used and /home/$USER.homedir for the other storage mechanisms.
           Not defined for the "cifs" storage mechanism. To use LUKS2
           storage on a regular block device (for example a USB stick) pass
           the path to the block device here. Specifying the path to a
           directory here when using LUKS2 storage is not allowed. Similar,
           specifying the path to a regular file or device node is not
           allowed if any of the other storage backends are used.

           When LUKS2 storage is used configures the file system type to use
           inside the home directory LUKS2 container. One of "btrfs",
           "ext4", "xfs". If not specified homed.conf(5) defines which
           default file system type to use. Note that "xfs" is not
           recommended as its support for file system resizing is too

           When LUKS2 storage is used configures whether to enable the
           "discard" feature of the file system. If enabled the file system
           on top of the LUKS2 volume will report empty block information to
           LUKS2 and the loopback file below, ensuring that empty space in
           the home directory is returned to the backing file system below
           the LUKS2 volume, resulting in a "sparse" loopback file. This
           option mostly defaults to off, since this permits over-committing
           home directories which results in I/O errors if the underlying
           file system runs full while the upper file system wants to
           allocate a block. Such I/O errors are generally not handled well
           by file systems nor applications. When LUKS2 storage is used on
           top of regular block devices (instead of on top a loopback file)
           the discard logic defaults to on.

           Similar to --luks-discard=, controls the trimming of the file
           system. However, while --luks-discard= controls what happens when
           the home directory is active, --luks-offline-discard= controls
           what happens when it becomes inactive, i.e. whether to
           trim/allocate the storage when deactivating the home directory.
           This option defaults to on, to ensure disk space is minimized
           while a user is not logged in.

       --luks-cipher=CIPHER, --luks-cipher-mode=MODE,
       --luks-volume-key-size=BITS, --luks-pbkdf-type=TYPE,
       --luks-pbkdf-time-cost=SECONDS, --luks-pbkdf-memory-cost=BYTES,
           Configures various cryptographic parameters for the LUKS2 storage
           mechanism. See cryptsetup(8) for details on the specific

       --nosuid=BOOL, --nodev=BOOL, --noexec=BOOL
           Configures the "nosuid", "nodev" and "noexec" mount options for
           the home directories. By default "nodev" and "nosuid" are on,
           while "noexec" is off. For details about these mount options see

       --cifs-domain=DOMAIN, --cifs-user-name=USER, --cifs-service=SERVICE
           Configures the Windows File Sharing (CIFS) domain and user to
           associate with the home directory/user account, as well as the
           file share ("service") to mount as directory. The latter is used
           when "cifs" storage is selected.

           Configures the time the per-user service manager shall continue
           to run after the all sessions of the user ended. The default is
           configured in logind.conf(5) (for home directories of LUKS2
           storage located on removable media this defaults to 0 though). A
           longer time makes sure quick, repetitive logins are more
           efficient as the user's service manager doesn't have to be
           started every time.

           Configures whether to kill all processes of the user on logout.
           The default is configured in logind.conf(5).

           Takes a boolean argument. Configures whether the graphical UI of
           the system should automatically log this user in if possible.
           Defaults to off. If less or more than one user is marked this way
           automatic login is disabled.

COMMANDS         top

       The following commands are understood:

           List all home directories (along with brief details) currently
           managed by systemd-homed.service. This command is also executed
           if none is specified on the command line. (Note that the list of
           users shown by this command does not include users managed by
           other subsystems, such as system users or any traditional users
           listed in /etc/passwd.)

       activate USER [USER...]
           Activate one or more home directories. The home directories of
           each listed user will be activated and made available under their
           mount points (typically in /home/$USER). Note that any home
           activated this way stays active indefinitely, until it is
           explicitly deactivated again (with deactivate, see below), or the
           user logs in and out again and it thus is deactivated due to the
           automatic deactivation-on-logout logic.

           Activation of a home directory involves various operations that
           depend on the selected storage mechanism. If the LUKS2 mechanism
           is used, this generally involves: inquiring the user for a
           password, setting up a loopback device, validating and activating
           the LUKS2 volume, checking the file system, mounting the file
           system, and potentially changing the ownership of all included
           files to the correct UID/GID.

       deactivate USER [USER...]
           Deactivate one or more home directories. This undoes the effect
           of activate.

       inspect USER [USER...]
           Show various details about the specified home directories. This
           shows various information about the home directory and its user
           account, including runtime data such as current state, disk use
           and similar. Combine with --json= to show the detailed JSON user
           record instead, possibly combined with --export-format= to
           suppress certain aspects of the output.

       authenticate USER [USER...]
           Validate authentication credentials of a home directory. This
           queries the caller for a password (or similar) and checks that it
           correctly unlocks the home directory. This leaves the home
           directory in the state it is in, i.e. it leaves the home
           directory in inactive state if it was inactive before, and in
           active state if it was active before.

       create USER, create --identity=PATH [USER]
           Create a new home directory/user account of the specified name.
           Use the various user record property options (as documented
           above) to control various aspects of the home directory and its
           user accounts.

           The specified user name should follow the strict syntax described
           on User/Group Name Syntax[3].

       remove USER
           Remove a home directory/user account. This will remove both the
           home directory's user record and the home directory itself, and
           thus delete all files and directories owned by the user.

       update USER, update --identity=PATH [USER]
           Update a home directory/user account. Use the various user record
           property options (as documented above) to make changes to the
           account, or alternatively provide a full, updated JSON user
           record via the --identity= option.

           Note that changes to user records not signed by a cryptographic
           private key available locally are not permitted, unless
           --identity= is used with a user record that is already correctly
           signed by a recognized private key.

       passwd USER
           Change the password of the specified home directory/user account.

       resize USER BYTES
           Change the disk space assigned to the specified home directory.
           If the LUKS2 storage mechanism is used this will automatically
           resize the loopback file and the file system contained within.
           Note that if "ext4" is used inside of the LUKS2 volume, it is
           necessary to deactivate the home directory before shrinking it
           (i.e the user has to log out). Growing can be done while the home
           directory is active. If "xfs" is used inside of the LUKS2 volume
           the home directory may not be shrunk whatsoever. On all three of
           "ext4", "xfs" and "btrfs" the home directory may be grown while
           the user is logged in, and on the latter also shrunk while the
           user is logged in. If the "subvolume", "directory", "fscrypt"
           storage mechanisms are used, resizing will change file system

       lock USER
           Temporarily suspend access to the user's home directory and
           remove any associated cryptographic keys from memory. Any
           attempts to access the user's home directory will stall until the
           home directory is unlocked again (i.e. re-authenticated). This
           functionality is primarily intended to be used during system
           suspend to make sure the user's data cannot be accessed until the
           user re-authenticates on resume. This operation is only defined
           for home directories that use the LUKS2 storage mechanism.

       unlock USER
           Resume access to the user's home directory again, undoing the
           effect of lock above. This requires authentication of the user,
           as the cryptographic keys required for access to the home
           directory need to be reacquired.

           Execute the lock command on all suitable home directories at
           once. This operation is generally executed on system suspend
           (i.e. by systemctl suspend and related commands), to ensure all
           active user's cryptographic keys for accessing their home
           directories are removed from memory.

           Execute the deactivate command on all active home directories at
           once. This operation is generally executed on system shut down
           (i.e. by systemctl poweroff and related commands), to ensure all
           active user's home directories are fully deactivated before
           /home/ and related file systems are unmounted.

       with USER COMMAND...
           Activate the specified user's home directory, run the specified
           command (under the caller's identity, not the specified user's)
           and deactivate the home directory afterwards again (unless the
           user is logged in otherwise). This command is useful for running
           privileged backup scripts and such, but requires authentication
           with the user's credentials in order to be able to unlock the
           user's home directory.

EXIT STATUS         top

       On success, 0 is returned, a non-zero failure code otherwise.

ENVIRONMENT         top

           Pager to use when --no-pager is not given; overrides $PAGER. If
           neither $SYSTEMD_PAGER nor $PAGER are set, a set of well-known
           pager implementations are tried in turn, including less(1) and
           more(1), until one is found. If no pager implementation is
           discovered no pager is invoked. Setting this environment variable
           to an empty string or the value "cat" is equivalent to passing

           Override the options passed to less (by default "FRSXMK").

           Users might want to change two options in particular:

               This option instructs the pager to exit immediately when
               Ctrl+C is pressed. To allow less to handle Ctrl+C itself to
               switch back to the pager command prompt, unset this option.

               If the value of $SYSTEMD_LESS does not include "K", and the
               pager that is invoked is less, Ctrl+C will be ignored by the
               executable, and needs to be handled by the pager.

               This option instructs the pager to not send termcap
               initialization and deinitialization strings to the terminal.
               It is set by default to allow command output to remain
               visible in the terminal even after the pager exits.
               Nevertheless, this prevents some pager functionality from
               working, in particular paged output cannot be scrolled with
               the mouse.

           See less(1) for more discussion.

           Override the charset passed to less (by default "utf-8", if the
           invoking terminal is determined to be UTF-8 compatible).

           Takes a boolean argument. When true, the "secure" mode of the
           pager is enabled; if false, disabled. If $SYSTEMD_PAGERSECURE is
           not set at all, secure mode is enabled if the effective UID is
           not the same as the owner of the login session, see geteuid(2)
           and sd_pid_get_owner_uid(3). In secure mode, LESSSECURE=1 will be
           set when invoking the pager, and the pager shall disable commands
           that open or create new files or start new subprocesses. When
           $SYSTEMD_PAGERSECURE is not set at all, pagers which are not
           known to implement secure mode will not be used. (Currently only
           less(1) implements secure mode.)

           Note: when commands are invoked with elevated privileges, for
           example under sudo(8) or pkexec(1), care must be taken to ensure
           that unintended interactive features are not enabled. "Secure"
           mode for the pager may be enabled automatically as describe
           above. Setting SYSTEMD_PAGERSECURE=0 or not removing it from the
           inherited environment allows the user to invoke arbitrary
           commands. Note that if the $SYSTEMD_PAGER or $PAGER variables are
           to be honoured, $SYSTEMD_PAGERSECURE must be set too. It might be
           reasonable to completely disable the pager using --no-pager

           The value must be a boolean. Controls whether colorized output
           should be generated. This can be specified to override the
           decision that systemd makes based on $TERM and what the console
           is connected to.

           The value must be a boolean. Controls whether clickable links
           should be generated in the output for terminal emulators
           supporting this. This can be specified to override the decision
           that systemd makes based on $TERM and other conditions.

EXAMPLES         top

       Example 1. Create a user "waldo" in the administrator group "wheel",
       and assign 500 MiB disk space to them.

           homectl create waldo --real-name="Waldo McWaldo" -G wheel --disk-size=500M

       Example 2. Create a user "wally" on a USB stick, and assign a maximum
       of 500 concurrent tasks to them.

           homectl create wally --real-name="Wally McWally" --image-path=/dev/disk/by-id/usb-SanDisk_Ultra_Fit_476fff954b2b5c44-0:0 --tasks-max=500

       Example 3. Change nice level of user "odlaw" to +5 and make sure the
       environment variable $SOME is set to the string "THING" for them on

           homectl update odlaw --nice=5 --setenv=SOME=THING

       Example 4. Set up authentication with a YubiKey security token using

           # Clear the Yubikey from any old keys (careful!)
           ykman piv reset

           # Generate a new private/public key pair on the device, store the public key in 'pubkey.pem'.
           ykman piv generate-key -a RSA2048 9d pubkey.pem

           # Create a self-signed certificate from this public key, and store it on the device.
           ykman piv generate-certificate --subject "Knobelei" 9d pubkey.pem

           # We don't need the public key on disk anymore
           rm pubkey.pem

           # Allow the security token to unlock the account of user 'lafcadio'.
           homectl update lafcadio --pkcs11-token-uri=auto

       Example 5. Set up authentication with a FIDO2 security token:

           # Allow a FIDO2 security token to unlock the account of user 'nihilbaxter'.
           homectl update nihilbaxter --fido2-device=auto

SEE ALSO         top

       systemd(1), systemd-homed.service(8), homed.conf(5), userdbctl(1),
       useradd(8), cryptsetup(8)

NOTES         top

        1. JSON User Records

        2. Icon Naming Specification

        3. User/Group Name Syntax

COLOPHON         top

       This page is part of the systemd (systemd system and service manager)
       project.  Information about the project can be found at 
       ⟨http://www.freedesktop.org/wiki/Software/systemd⟩.  If you have a bug
       report for this manual page, see
       ⟨http://www.freedesktop.org/wiki/Software/systemd/#bugreports⟩.  This
       page was obtained from the project's upstream Git repository
       ⟨https://github.com/systemd/systemd.git⟩ on 2020-11-01.  (At that
       time, the date of the most recent commit that was found in the repos‐
       itory was 2020-11-01.)  If you discover any rendering problems in
       this HTML version of the page, or you believe there is a better or
       more up-to-date source for the page, or you have corrections or im‐
       provements to the information in this COLOPHON (which is not part of
       the original manual page), send a mail to man-pages@man7.org

systemd 247                                                       HOMECTL(1)

Pages that refer to this page: homed.conf(5)homed.conf.d(5)org.freedesktop.home1(5)30-systemd-environment-d-generator(7)systemd.directives(7)systemd.index(7)pam_systemd_home(8)systemd-homed(8)systemd-homed.service(8)