I recently switched to Linux (Zorin OS) and I selected “use ZFS and encrypt” during installation. Now before I can log in it asks me “please unlock disk keystore-rpool” and I have to type in the encryption password it before I’m able to get to the login screen.
Is there a way to do this automatically like with Windows or MacOS? Zorin has biometric login which is nice but this defeats the purpose especially because the encryption password is long and tedious to type in.
Also might TPM have anything to do with this?
EDIT: Based on the responses I have to assume some of you guys live in windowless underground bunkers sealed off with concrete because door locks “aren’t secure against battering rams”. Normal people don’t need perfect encryption they just want to add an extra hurdle or two for the crackhead who steals the PC. I assumed Linux had a system similar to what Windows or MacOS has been doing for a decade but I am apparently wrong.
Kinda curious as to the point of drive encryption if you just want it to automatically unlock on boot.
Encryption makes it more difficult to copy data from the drive. Windows and MacOS can manage to encrypt drives without requiring two different passwords, I mistakenly assumed Linux could too.
If you’re having it automatically unlock the drive at boot, it kind of defeats the purpose. If someone steals your tower, they can boot it and copy the unencrypted contents since it automatically unlocks.
OP isn’t asking for it to decrypt automatically. OP is asking for the entering the decryption password to also log you in. That way you only have to type the password once, instead of twice.
It depends on where the encryption data is stored. If the bootloader and bios/efi are locked down and the data to unlock is stored in an encrypted enclave or one is using a TPM (and not an external chip one that can be sniffed with a pi), that’s a reasonable protection for the OS even if somebody gains physical access.
You could also store the password in the EFI, or on a USB stick etc. It doesn’t help you much against longer-term physical access but it can help if somebody just grabs the drive. It’s also useful to protect the drive if it’s being disposed of as the crypto is tied to other hardware.
Even just encrypting the main OS with the keys in the boot/initrd has benefit, as ensuring that part is well-wiped makes asset disposal safe®. Some motherboards have an on-board SDCard or USB slot which your can use for the boot partition. It means I don’t have to take a drill to my drives before I dispose of them
But if you have it set to unlock automatically…? It’s not like the drive is going to know it’s you booting it vs someone else if you’re not having to enter the password.
Windows and Mac can indeed encrypt drives without two passwords - as long as you don’t set a drive encryption password to be entered at BIOS load before the OS loads, which is what you’ve done.
The idea is to use TPM to store the keys - if you boot into a modified OS, TPM won’t give you the same key so automatic unlock will fail. And protection against somebody just booting the original system and copying data off it is provided by the system login screen.
Voilà, automatic drive decryption with fingerprint unlock to log into the OS. That’s what Windows does anyway.
How… How would they get the drive? Would n that need access to your computer? I imagine at that point they could turn it on first and copy your data that way, no?
No. With FDE, an adversary can’t just trun it on and copy data unless there are some 0day on the login that allows exectuing arbitrary codes.
It’s disappointing to see so many commentors arguing against you wanting to do this. Windows has it through bitlocker which is secured via the TPM as you know. Yes it can be bypassed, but it’s all about your threat level and effort into mitigating it.
I am currently using a TPM on my opensuse tumbleweed machine to auto unencrypt my drive during boot. What you want to do is possible, but not widely supported (yet). Unfortunately, the best I can do is point you to the section in the opensuse wiki that worked for me.
https://en.opensuse.org/SDB:Encrypted_root_file_system
If you scroll down on that page you’ll see the section about TPM support. I don’t know how well it will play with your OS. As always, back up all your files before messing with hard drive encryption. Best of luck!
Sums up about every thread asking how to do something on Linux, 30 different responses on how the OP is wrong and shouldn’t do it that way.
To be fair there are probably many different ways to solve the problem. I’m somewhat experienced with Linux and I’ve attempted seeing up TPM LUKS decryption on boot. It’s certainly not easy or at least wasn’t when I tried. For non experienced people it’s easier to just enter the password at boot and enable auto login. Then you get the security, software, ethics, or licensing debates that accompany most Linux discussions.
I mean it’s somewhat of a meme. But XY-Problems are super common. I also sometimes learned something new and that my approach wasn’t the best and I’m kinda experienced with Linux. It’s usually more the annoying and stupid people who don’t want to explain what they’re trying to achieve even if asked and insist on going with the path they’ve chosen without listening to advice… On the other hand it’s a balance. There are also nerds without social skills who don’t explain things well. But in my experience it’s frequently XY-Problems and the people asking for advice not listening.
Thanks, Zorin is based on Ubuntu so I have to assume it will be up to date with stuff like TPM which is 15 years old. The data on the page you linked is pretty advanced for me but I’ll give it a shot. Appreciate you addressing my question.
OP, just change your encryption key to whatever you have your password as and set your login to auto login. This will give you the experience you desire as it’ll decrypt the disk with your password and log you in automatically once it’s decrypted, but if you lock the system (close the lid. Screen lock. Etc) you’ll still get a login screen as normal. (Just keep in mind they’re technically two separate passwords and will unfortunately need to be changed separately if you do change your password).
What I do for a little extra security is that my encryption password is just a longer variation of my normal password. So of I have an encrypted password sentence like “correct battery staple horse” my login password would just be “correct battery”. It’s a simple way to add a little extra and a good reminder everytime I turn on my computer that they are in fact two different passwords and protect me differently.
You ended up with full disk encryption. For most people, it’s the simple option, everything is encrypted. That means the OS can’t start without the key, because you’re the only holder of the key. It’s both dead simple, and pretty bulletproof since there’s no way to access the system without the password. But as you said, not everyone wants that.
What you’re asking for is an encrypted home directory. It’s not that Linux can’t do it, it’s just not what you got. Depending on the use case you can either use TPM to unlock the root partition to boot, or not encrypt the system itself. Then when you log in, it decrypts a separate partition (or use ZFS native encryption, or use fscrypt if your filesystem supports it, or use an overlay filesystem like go-cryptfs).
So it’s not that Linux doesn’t support your use case but rather your distro doesn’t offer it as an installation option. From there you either configure it yourself (ArchWiki is great regardless of distro), or seek out a distro that does.
Linux is not an operating system, it’s just the kernel. What makes it an OS is what distros build on top of it. Linux alone is not that useful, hence the basis of the GNU+Linux memes: it’s Linux, plus a lot of GNU tools to make it do useful things, plus a desktop environment and a whole bunch of other libraries and applications, plus the distro’s touch tying it all together in a mostly cohesive experience.
Fprintd is the only biometrics I know and hardware support is very limited. There are no easily accessible usb fingerprint readers either, which would allow easy testing and recommending.
I think if we could reverse engineer some kensington / etc. fprint sensor that would be huge.
But I’m confused, the decryption of the home directory needs the owners secret to be entered at some point? I don’t see how this solves Op’s problem (which I also don’t understand, you want encryption, you need to decrypt stuff at some point)
Yes, the question is when and how.
You can enter it in the bootloader as a prerequisite to boot anything. You can also enter it at the display manager / login screen, which is a little further down the boot process.
My desktop for example can boot up to the login screen and perform its NAS and routing duties all on its own. But my user and all of my user’s data is still locked at that point: the computer is usable by guests and everything but even if you manage to throw a root exploit at it, my data is completely safe. Only when I log in, either locally or remotely, my password will go through PAM which will run a script that uses my password to unlock my home directory and mount it as I’m logging in.
What changes is what is covered by the encryption, and when the key is required. My root is auto unlocked via TPM, my home is unlocked on demand as I log in to my user account.
OP’s problem is they have full disk encryption so they need the password to boot up Linux at all, but they also get a second password prompt to log in when it reaches the display manager, even if it’s the same password. The solution is either they configure it to auto login since you need a password for the whole OS anyway, or they automate the unlocking of the root partition and use their login password to further decrypt the home directory (or rely entirely on the system being secure that the user isn’t encrypted further and it’s just a password prompt, which is what I think Windows does).
I see, thanks for the explanation. After asking you I kept on reading the comments and understood how tpm helps with the auto decryption.
I still think full disk encryption with auto login is more than enough, at least that’s what I have, and as you can tell anyone can set that up easily.
EDIT: Based on the responses I have to assume some of you guys live in windowless underground bunkers sealed off with concrete. Normal people don’t need perfect encryption they just want to add an extra hurdle or two for the crackhead who steals the PC. I assumed Linux had a system similar to what Windows or MacOS has been doing for a decade but I am apparently wrong.
I am sorry you were treated like this and downvoted for just asking for help without being a jerk at all.
