Feature Request: Encrypted Data Partition (LUKS2) with Decryption on First Web Login

[Alpha018]

I’d like to propose a feature to encrypt the data partition in UmbrelOS using LUKS2 (or similar), with the ability to decrypt it during the first web login, instead of during system boot.

Motivation

UmbrelOS has a clean separation between the OS and the user data. This allows for an ideal setup where:

• The OS partition remains untouched and bootable.
• The data partition is encrypted at rest using LUKS2 (or another disk encryption method).
• Upon the first login through the Umbrel web interface, the user is prompted to enter their password. That password is then used to decrypt and mount the data partition.

This approach mimics how Android handles encryption — where data remains encrypted at rest and is only accessible after user authentication — but adapted to Umbrel's server-like workflow.

Benefits

• Enhanced security: user data is never exposed unless explicitly unlocked.
• Minimal UX impact: encryption is handled seamlessly during the existing login flow.
• Hardware agnostic: no need to prompt for decryption via local keyboard or console.

Feature Breakdown

• Encrypt only the /data partition using LUKS2 or similar.
• Boot the OS as usual, keeping it outside the encrypted volume.
• On first HTTP login, prompt the user for their decryption password (could be the same as the Umbrel user password).
• Mount and decrypt the data partition if the password is valid.
• Possibly store the decrypted key temporarily until reboot, or use a secure session-based unlock mechanism.

Optional Ideas

• Allow users to configure or reset the encryption password from the UI (if unlocked).
• Warn users about the importance of keeping the decryption password safe.
• Provide an option to re-lock the data partition from the UI.

---

Thanks for your amazing work on Umbrel! This feature could make it even more secure, especially for users running it on physical hardware.