I recently switched to Linux (Zorin OS) and I selected “use ZFS and encrypt” during installation. Now before I can log in it asks me “please unlock disk keystore-rpool” and I have to type in the encryption password it before I’m able to get to the login screen.
Is there a way to do this automatically like with Windows or MacOS? Zorin has biometric login which is nice but this defeats the purpose especially because the encryption password is long and tedious to type in.
Also might TPM have anything to do with this?
If you want some more convenience but don’t want to give up security, you can use hardware tokens like Nitrokey with GPG.
The process would be generate a random file using
ddand/dev/urandom. Set this as the key for FDE. Encrypt it using your GPG and store it on/boot. Have a helper script to ask you plugin your Nitrokey and (optional) pin to decrypt the keyfile to have root decrypted. I had read this on some blog for dm-crypt so you will need to research and adopt to your setup.Afaik you can’t. Disk encryption requires entering the password every time and it asks for it BEFORE the OS is started so you can’t use biometric login either
That’s not technically true as bitlocker on windows and filevault on Mac don’t require tw different passwords.
Mac will ask you to “log in” very early in the boot process to decrypt the disk, I assume it keeps the drive key encrypted with your password somewhere.
That’s just not true I have two macs with it enabled on both and it requires a single “normal” password
That’s likely because your Macs are using the TPM. Does your Linux machine have a TPM, and are you using it?
I don’t think so, they are both intel macs over 10 years old and TPM wasn’t as common then. On Mac, when you check the box to encrypt the drive during install you’re prompted for an encryption password which you never need to use again unless you remove the drive and put it into another mac (or in my case add a second hard drive and use the original as “extra” storage).
Yes normal password but it happens super early on mine, and once you log in there is a boot progress bar afterwards. This is an Intel Mac, might be different on apple chips.
Sorry idk much about Windows and Mac. But what you said sounds like their encryption systems aren’t full disk encryption, they somehow found a way to store the password for login or they just disable the login password completely when the encryption is enabled
They are full disk encryption, and it’s using the hardware TPM.
Oh then I guess idk what TPM actually is
I recently dug into this because I accidentally trashed my wife’s OS which was encrypted with bitlocker. PITA btw and I couldn’t beat the encryption
Bitlocker encryption key hash is stored in 2 possible places. First is an unencrypted segment of the encrypted drive. This is bad because it’s pretty easy to read that hash and then decrypt the drive. The second place is on a Trusted Platform Module (TPM) which is a chip on the motherboard. This is better because it’s much more difficult to hack. It can be done but requires soldering on extra hardware to sniff the hash while the machine boots up. Might even be destructive… I’m not sure.
Either way a motivated attacker can decrypt the drive if they have physical access. For my personal machines, I wouldn’t care about this level of scrutiny at all.
Anyways you can see if any open source solutions support TPM.
What it sounds like you want is only your home folder encrypted, where it decrypts seamlessly upon login. It sounds like you have encrypted OS root, which is more secure but necessarily requires a password before the system gets to the login screen.
Other than reinstalling your system, you do have the option of either making your decryption password shorter, and/or enabling auto-login after boot (if you’re the computer’s only user), so you’d only have to type one password instead of two.
I chose to use auto login for my PC. This way I’m only using my password to decrypt the drive after a reboot or the login screen after waking ffrom sleep.
Auto-Login makes the most sense I didn’t consider that.
Or you can do full disk encryption and store the encryption info in the TPM and lock it down against various PCRs such that changes to the boot order or firmware prevent the drive unlocking without a secondary decryption key, just like Windows and Macs do.
It’s a built in feature of systemd, among other tools.
I’m not familiar with exactly what you mean, does it not require a password to boot that way? I have full-disk encryption on my laptop but not with TPM, grub just prompts me for a password before the kernel boots
Correct. The decryption key is stored in the TPM and unsealed when specific criteria match (for example, booted from the correct drive, to the correct kernel file). Figuring out the correct values to tie it to is probably the worst part for a user, if you do it wrong it might just unseal because your EFI firmware binary hasn’t changed, which isn’t all that useful if someone is trying to break in with a live image.
I’m also a linux noob, but I thought having to unlock the encryption before getting to the actual account was part of the point. If the encryption is always already unlocked it’s easier to break in.
Then how come Windows and MacOS don’t require two different PWs?
You keep bringing that up. Those are different systems with different approaches to security. You can compare them to death and back and it won’t bring your system to where you want it.
People have come to you with suggestions to achieve what you want and explained the consequences. Try that instead.
They give up some security by gaining convenience and slightly better UX.
I can’t vet Apple’s security, but TPM isn’t a silver bullet either.
Yeah I don’t need a silver bullet I’m not storing highly sensitive data, I just mistakenly assumed this would be easier.
Great to hear. TPM is totally usable if your threat model can tolerate the risk. Sadly Linux is a bit lacking support for TPM in FDE. You can try the Nitrokey with GPG method without pin I wrote in the other thread if you hit the wall. Good luck!
Here’s a guide if you want FDE with TPM: https://blastrock.github.io/fde-tpm-sb.html
Linux works fine with the TPM, systemd even includes it as a feature (although Ubuntu patches it out, Fedora does not). Takes two commands to enable it, although you can get very into the weeds like that guide does if you are concerned about real bad actors instead of common thieves.
That I doesn’t know Ubuntu patches it out.
as others have pointed out, you can use systemd-cryptenroll to add your tpm as a way to unlock the disk at boot, security of this should be fine if secureboot is enabled (for this to work it will need to be anyway) and a password is set for the uefi. See the archwiki entry for setup info (command is as simple as
systemd-cryptenroll --tpm2-device=auto /dev/rootdrive, also the device needs to be encrypted with luks2, no idea if zorin uses that by default but you can convert luks1 to luks2 {backup ur headers first!})I think people are misunderstanding the whole point of drive encryption. It’s so that if the drive is stolen or lost, you don’t have to worry about it as much. I personally don’t see any benefit in doing this if I have to enter a password every time I plug the damn thing in. If you’re concerned about somebody stealing your laptop or desktop, the disk-encryption should be the least of your worries.
To the OC; if you happen to use GNOME, then check out the settings in the DISKS app. It has auto-unlock options in the per-drive settings. I long ago configured it so my USB is auto-unlocked upon being plugged in. Though after several system resets and such whatever I did to do that seems to no longer be visible in the GUI, I know that’s how I set it up in the first place.
To the OC; if you happen to use GNOME, then check out the settings in the DISKS app. It has auto-unlock options in the per-drive settings.
Thanks so much!
EDIT: This didn’t work
They do understand the point. The problem is that if you use TPM to unlock on boot it is slightly self defeating. Now the attacker has access to your display manager or TTY. They can guess passwords, try to bypass the biometric checks, or find an exploit. But that does indicate a higher tech level that your average thief.
I appreciate the concern but odds are if someone is stealing my PC its not going to be a 1337 hax0r. I am not keeping government docs on here I just don’t want someone to be able to rip out the HDD and have easy access to everything.
It’s disappointing to see so many commentors arguing against you wanting to do this. Windows has it through bitlocker which is secured via the TPM as you know. Yes it can be bypassed, but it’s all about your threat level and effort into mitigating it.
I am currently using a TPM on my opensuse tumbleweed machine to auto unencrypt my drive during boot. What you want to do is possible, but not widely supported (yet). Unfortunately, the best I can do is point you to the section in the opensuse wiki that worked for me.
https://en.opensuse.org/SDB:Encrypted_root_file_system
If you scroll down on that page you’ll see the section about TPM support. I don’t know how well it will play with your OS. As always, back up all your files before messing with hard drive encryption. Best of luck!
Sums up about every thread asking how to do something on Linux, 30 different responses on how the OP is wrong and shouldn’t do it that way.
To be fair there are probably many different ways to solve the problem. I’m somewhat experienced with Linux and I’ve attempted seeing up TPM LUKS decryption on boot. It’s certainly not easy or at least wasn’t when I tried. For non experienced people it’s easier to just enter the password at boot and enable auto login. Then you get the security, software, ethics, or licensing debates that accompany most Linux discussions.
I mean it’s somewhat of a meme. But XY-Problems are super common. I also sometimes learned something new and that my approach wasn’t the best and I’m kinda experienced with Linux. It’s usually more the annoying and stupid people who don’t want to explain what they’re trying to achieve even if asked and insist on going with the path they’ve chosen without listening to advice… On the other hand it’s a balance. There are also nerds without social skills that don’t explain things well. But in my experience it’s frequently XY-Problems and the people asking for advice not listening.
Thanks, Zorin is based on Ubuntu so I have to assume it will be up to date with stuff like TPM. The data on the page you linked is pretty advanced for me but I’ll give it a shot. Appreciate you addressing my question.
Ubuntu isn’t really on the cutting edge, so I’m not sure how well its going to work. Opensuse tumbleweed is running pretty much the latest everything, so its possible youll need to wait until the next Ubuntu lts
This is also what I would recommend and is most similar to the windows experience
Yeah, holy shit is this comment section toxic. Why are people downvoting for someone asking for help and not being a dick?
Is this whole community like this? Are the mods okay with this behavior?
Windows is no baseline for security lol
Not sure if this works with drive encryption since it comes before the OS, but could this maybe be done with a YubiKey or something like that?
That way, you can plug it in and not worry about typing the password every time, but then it’s also secure if someone takes your PC? As long as you remove the key when it’s off of course.
Yes, systemd-cryptenroll supports Yubikey as well as generic FIDO2 tokens (and the TPM on most distros).
I was kinda annoyed at double password login when I setup my system too. So what I did was just enable automatic login for my user since I’m the only one. I just treat my disk password as my login form so I just enter one password. I still have a user password for things like sudo and other permissions handling when I’m logged in but getting into a new session is automatic on startup so it doesn’t annoy me anymore. Would that work for you?
That’s exactly what I do lol.
I think this is what I might have to do as I really don’t want to go back to Windows. I don’t suppose if you know if there is a way to lock the drive upon logging out? Or do I need to do a full shutdown every time.
I’m not sure LUKs can lock a drive that’s booted already since it’s not a RAM session like a live CD is and relies on the decrypted files to operate. This is why the encryption key is prompted from your boot manager prior to actually getting the system running. That said, I lock my computer all the time and just rely on the normal user password to get back in.
Move your swap to encrypted part of your drive and suspend to disk. ;)
IIRC and I may be wrong here the drive stays encrypted in sleep. Decryption is done in real time via your CPU. However the encryption key is stored in unencrypted RAM. Which is why the other comment suggests encrypting swap and hibernating, this writes RAM to disk.
I was kinda annoyed at double password login
Same. Not at all interesting.
Boot up password -> ATA DriveLock password -> LUKS FDE password -> Login password, that’s where it’s at.
/jIt’s just funny situation if you forget the DriveLock master password. Yes, it has 2 passwords. The master password is needed to remove the user password which is used for unlocking. If you forget the master password, you can’t ever reset the user password. If you forget both, you upgraded the drive to a paperweight. Additionally, some BIOSes may do hidden key derivation, store the master password in TPM, or do some other crap, so it’s generally not recommended unless you actually need it.
This can also be set inhdparm.
Also, I have no idea what way there is for NVME drives, as this uses ATA commands. It’s also good to note that some drives use this for hardware-based encryption, and some don’t. So it brings varying security.If you forget both, you upgraded the drive to a paperweight.
That’s why I have a password manager on my phone.
The common way to do it with LUKE2 and TPM as detailed on the Arch wiki. Not sure if that’ll apply at all to ZFS and Zorin though
It is less secure though. What I do is set my computer to log in on start and I set up fingerprint auth. So I only need to login once on startup with the drive decryption.
Here’s a reddit post on using clevis, TPM, and ZFS to decrypt.
You should also know that if you’re mobo dies so does your data.
Dead motherboard is not an issue. LUKS supports multiple decryption key slots, you just set up the TPM as one of them. The fallback mode is you have you enter the password twice again.
I do not know the answer, but this got me thinking: would it be easier to set up a single login for both session and decryption if /home was on a separate partition and only /home was encrypted?
https://wiki.archlinux.org/title/Trusted_Platform_Module#Data-at-rest_encryption_with_LUKS
Thats what you want i think
OP, just change your encryption key to whatever you have your password as and set your login to auto login. This will give you the experience you desire as it’ll decrypt the disk with your password and log you in automatically once it’s decrypted, but if you lock the system (close the lid. Screen lock. Etc) you’ll still get a login screen as normal. (Just keep in mind they’re technically two separate passwords and will unfortunately need to be changed separately if you do change your password).
This is solid advice
What I do for a little extra security is that my encryption password is just a longer variation of my normal password. So of I have an encrypted password sentence like “correct battery staple horse” my login password would just be “correct battery”. It’s a simple way to add a little extra and a good reminder everytime I turn on my computer that they are in fact two different passwords and protect me differently.
Thats how encryption works. Encryption with TPM protects against removing the drive and reading somewhere else, so I suppose it makes sense for most people.
Linux Distros have this option, Ubuntu has it now I think, but on the others its often manual setup.
Just search for “cryptsetup change to tpm”
This reply isn’t going to be helpful to OP, but thought I might add context for others passing by.
I’m using Arch Linux with LUKS encryption and gdm. As long as my user’s password is the same as the LUKS password, I only ever type my password in once.
Just saying that a MacOS-like convenience is definitely possible on Linux.
Fascinating, you don’t have automatic login enabled? And I assume this is at the pre-login prompt?
Oof - forgot to mention that I do have autologin configured on gdm 😀
user’s password can be totally different from luks password if you’re using autologin. You can keep it same but that’s totally optional. You can login without entering any password at all if not using luks (or using autodecrypt), you can see that in live isos.
