I think it's a little strange to put anything other than users' home directories in /var/home; I don't know of anything else that does this. I suggest instead changing "/var/home/$SUDO_USER" to ~"$SUDO_USER", which will correctly identify the home directory of SUDO_USER regardless of whether that's root (or some other user with a home directory in a nonstandard location). Do note that the ~ has to be outside quotes for it to be properly expanded by the shell.

The problem is that when you run ujust from run0, $SUDO_USER is blank. We could add something to test and find the home directory regardless, but this is a lot of complexity. I agree it is unusual, but it doesn't make sense either for a drive encryption key to be only accessible from one user anyway.

That doesn't seem right—I just tried running a nested run0 session (which is what I'm pretty sure is happening when you run a ujust script that requires root from a run0 shell) and it sets SUDO_USER to root, as expected.

I also think that on a multi-user system, there definitely could be good reason that a system administrator might not want the recovery key to be visible to all unprivileged users. So, putting it in the calling user's home directory still seems like the best option. If somehow SUDO_USER is blank (which I don't think should happen), the best fallback might be to put it in root's home directory.

You're right, it's not blank it's still root.

echo ~"$SUDO_USER" is giving me ~user, not the home path. Seems like ~ won't substitute correctly when the user name is substituted. At least on my secureblue install.

Oops, my bad, that works in fish but not in bash—forgot to switch to bash to check that. A method that does work in bash is:

getent passwd "$SUDO_USER" | cut -d: -f6

TBH, we should port these to python instead of continuing to build on the bash versions