I recently switched to Linux (Zorin OS) and I selected “use ZFS and encrypt” during installation. Now before I can log in it asks me “please unlock disk keystore-rpool” and I have to type in the encryption password it before I’m able to get to the login screen.

Is there a way to do this automatically like with Windows or MacOS? Zorin has biometric login which is nice but this defeats the purpose especially because the encryption password is long and tedious to type in.

Also might TPM have anything to do with this?

EDIT: Based on the responses I have to assume some of you guys live in windowless underground bunkers sealed off with concrete because door locks “aren’t secure against battering rams”. Normal people don’t need perfect encryption they just want to add an extra hurdle or two for the crackhead who steals the PC. I assumed Linux had a system similar to what Windows or MacOS has been doing for a decade but I am apparently wrong.

-3 points
Deleted by creator
permalink
report
reply
1 point

Good comment. Unfairly downvoted IMO

permalink
report
parent
reply
66 points

Kinda curious as to the point of drive encryption if you just want it to automatically unlock on boot.

permalink
report
reply
-32 points
*

Encryption makes it more difficult to copy data from the drive. Windows and MacOS can manage to encrypt drives without requiring two different passwords, I mistakenly assumed Linux could too.

permalink
report
parent
reply
47 points

If you’re having it automatically unlock the drive at boot, it kind of defeats the purpose. If someone steals your tower, they can boot it and copy the unencrypted contents since it automatically unlocks.

permalink
report
parent
reply
4 points
*
Removed by mod
permalink
report
parent
reply
19 points

OP isn’t asking for it to decrypt automatically. OP is asking for the entering the decryption password to also log you in. That way you only have to type the password once, instead of twice.

permalink
report
parent
reply
7 points

It depends on where the encryption data is stored. If the bootloader and bios/efi are locked down and the data to unlock is stored in an encrypted enclave or one is using a TPM (and not an external chip one that can be sniffed with a pi), that’s a reasonable protection for the OS even if somebody gains physical access.

You could also store the password in the EFI, or on a USB stick etc. It doesn’t help you much against longer-term physical access but it can help if somebody just grabs the drive. It’s also useful to protect the drive if it’s being disposed of as the crypto is tied to other hardware.

Even just encrypting the main OS with the keys in the boot/initrd has benefit, as ensuring that part is well-wiped makes asset disposal safe®. Some motherboards have an on-board SDCard or USB slot which your can use for the boot partition. It means I don’t have to take a drill to my drives before I dispose of them

permalink
report
parent
reply
1 point

I dont think you can. Can you read SSD storage while that is running? The drive needs to be decrypted using the TPM, and that should only work when its plugged in.

permalink
report
parent
reply
7 points

How… How would they get the drive? Would n that need access to your computer? I imagine at that point they could turn it on first and copy your data that way, no?

permalink
report
parent
reply
11 points

Disk encryptions entire point is securing against physical access

permalink
report
parent
reply
4 points
*

No. With FDE, an adversary can’t just trun it on and copy data unless there are some 0day on the login that allows exectuing arbitrary codes.

permalink
report
parent
reply
15 points

But if you have it set to unlock automatically…? It’s not like the drive is going to know it’s you booting it vs someone else if you’re not having to enter the password.

Windows and Mac can indeed encrypt drives without two passwords - as long as you don’t set a drive encryption password to be entered at BIOS load before the OS loads, which is what you’ve done.

permalink
report
parent
reply
1 point

as long as you don’t set a drive encryption password to be entered at BIOS load before the OS loads, which is what you’ve done.

MacOS does ask for a different password during setup, which you never have to use again unless you want to access the drive on a different PC.

permalink
report
parent
reply
14 points

The idea is to use TPM to store the keys - if you boot into a modified OS, TPM won’t give you the same key so automatic unlock will fail. And protection against somebody just booting the original system and copying data off it is provided by the system login screen.

Voilà, automatic drive decryption with fingerprint unlock to log into the OS. That’s what Windows does anyway.

permalink
report
parent
reply
5 points

You dont want to do that.

What’s the point of encrypting something without a good passphrase? It defeats the whole purpose.

permalink
report
reply
6 points

If you want to do away with any protection you have with opting in to a security measure, like typing in a password, why don’t you just reinstall and not select the encryption option?

Not requiring a password, or automatically entering a password to decrypt the filesystem, is essentially the same as not having encryption.

Decide which you want: Security or convenience. You cannot have both.

permalink
report
reply
16 points
*

Afaik you can’t. Disk encryption requires entering the password every time and it asks for it BEFORE the OS is started so you can’t use biometric login either

permalink
report
reply
-11 points
*

That’s not technically true as enabling bitlocker on windows and filevault on Mac don’t require two different passwords.

permalink
report
parent
reply
3 points

Sorry idk much about Windows and Mac. But what you said sounds like their encryption systems aren’t full disk encryption, they somehow found a way to store the password for login or they just disable the login password completely when the encryption is enabled

permalink
report
parent
reply
5 points
*

They are full disk encryption, and it’s using the hardware TPM.

permalink
report
parent
reply
11 points

Mac will ask you to “log in” very early in the boot process to decrypt the disk, I assume it keeps the drive key encrypted with your password somewhere.

permalink
report
parent
reply
-4 points

That’s just not true I have two macs with it enabled on both and it requires a single “normal” password

permalink
report
parent
reply
3 points

I recently dug into this because I accidentally trashed my wife’s OS which was encrypted with bitlocker. PITA btw and I couldn’t beat the encryption

Bitlocker encryption key hash is stored in 2 possible places. First is an unencrypted segment of the encrypted drive. This is bad because it’s pretty easy to read that hash and then decrypt the drive. The second place is on a Trusted Platform Module (TPM) which is a chip on the motherboard. This is better because it’s much more difficult to hack. It can be done but requires soldering on extra hardware to sniff the hash while the machine boots up. Might even be destructive… I’m not sure.

Either way a motivated attacker can decrypt the drive if they have physical access. For my personal machines, I wouldn’t care about this level of scrutiny at all.

Anyways you can see if any open source solutions support TPM.

permalink
report
parent
reply
Deleted by creator
permalink
report
parent
reply

Linux

!linux@lemmy.ml

Create post

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

  • Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
  • No misinformation
  • No NSFW content
  • No hate speech, bigotry, etc

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

Community stats

  • 8.4K

    Monthly active users

  • 6.3K

    Posts

  • 172K

    Comments