I recently switched to Linux (Zorin OS) and I selected “use ZFS and encrypt” during installation. Now before I can log in it asks me “please unlock disk keystore-rpool” and I have to type in the encryption password it before I’m able to get to the login screen.

Is there a way to do this automatically like with Windows or MacOS? Zorin has biometric login which is nice but this defeats the purpose especially because the encryption password is long and tedious to type in.

Also might TPM have anything to do with this?

  • Jediwan@lemy.lolOP
    0·
    9 months ago

    Are you joking? It’s so that someone else can’t copy the data off the drive. Windows and MacOS can encrypt drives without requiring two different passwords.

    • kebabslob@lemmy.blahaj.zone
      0·
      9 months ago

      How… How would they get the drive? Would n that need access to your computer? I imagine at that point they could turn it on first and copy your data that way, no?

    • GlitzyArmrest@lemmy.worldEnglish
      0·
      9 months ago

      If you’re having it automatically unlock the drive at boot, it kind of defeats the purpose. If someone steals your tower, they can boot it and copy the unencrypted contents since it automatically unlocks.

      • fuckwit_mcbumcrumble@lemmy.worldEnglish
        0·
        9 months ago

        OP isn’t asking for it to decrypt automatically. OP is asking for the entering the decryption password to also log you in. That way you only have to type the password once, instead of twice.

          • Ptsf@lemmy.world
            0·
            9 months ago

            Perfect security doesn’t exist. If they’ve got the engineering capital required to design and manufacture key retrieval hardware, you lost the moment they gained physical access to your equipment.

              • Ptsf@lemmy.world
                0·
                9 months ago

                Most brute-force attacks can be hardened against. Again there’s no perfect security, just better security.

            • umami_wasabi@lemmy.ml
              0·
              9 months ago

              If he uses TPM. I’m not aginst OP using it but he needs to understand the drawbacks. At least I hope he will.

            • TDCN@feddit.dk
              0·
              8 months ago

              I agree. Physical access to the device and its often game over.

              Sadly reading off the key is already trivial in some cases as showcased in this recent video by stacksmashing

              Since the key has to be sent to the cpu in plain text it can easily be sniffed. If however the TPM is integrated in the cpu its not so easy, but then the os can be manipulated or hacked after boot with known exploits.

              If you have a long and secure password for you encryption the absolute only way in is to brute force the key which is significantly harder if not impossible regardless of capital

          • MangoPenguin@lemmy.blahaj.zoneEnglish
            0·
            9 months ago

            At least on Windows that requires booting the PC from some other media, and that wouldn’t work with the drive encrypted because you have no access to the files you need to modify.

            Is it similar with Linux, or do you mean you can actually bypass login from the OS that’s already booted up??

          • Markaos@lemmy.one
            0·
            9 months ago

            Yeah, but a lot of those things will trip the TPM module, so you will get a different decryption key if you for example try to use the single kernel parameter to boot into a root shell. And different decryption key means no access to the data.

      • phx@lemmy.ca
        0·
        9 months ago

        It depends on where the encryption data is stored. If the bootloader and bios/efi are locked down and the data to unlock is stored in an encrypted enclave or one is using a TPM (and not an external chip one that can be sniffed with a pi), that’s a reasonable protection for the OS even if somebody gains physical access.

        You could also store the password in the EFI, or on a USB stick etc. It doesn’t help you much against longer-term physical access but it can help if somebody just grabs the drive. It’s also useful to protect the drive if it’s being disposed of as the crypto is tied to other hardware.

        Even just encrypting the main OS with the keys in the boot/initrd has benefit, as ensuring that part is well-wiped makes asset disposal safe®. Some motherboards have an on-board SDCard or USB slot which your can use for the boot partition. It means I don’t have to take a drill to my drives before I dispose of them

    • Confused_Emus@lemmy.world
      0·
      9 months ago

      But if you have it set to unlock automatically…? It’s not like the drive is going to know it’s you booting it vs someone else if you’re not having to enter the password.

      Windows and Mac can indeed encrypt drives without two passwords - as long as you don’t set a drive encryption password to be entered at BIOS load before the OS loads, which is what you’ve done.

      • Markaos@lemmy.one
        0·
        9 months ago

        The idea is to use TPM to store the keys - if you boot into a modified OS, TPM won’t give you the same key so automatic unlock will fail. And protection against somebody just booting the original system and copying data off it is provided by the system login screen.

        Voilà, automatic drive decryption with fingerprint unlock to log into the OS. That’s what Windows does anyway.

        • Confused_Emus@lemmy.world
          0·
          9 months ago

          Although OPs scenario is if someone steals the tower, in which case it’s not a different TPM. Would only help if the drives were yanked, which honestly I’d probably do rather than try to take the whole tower.

          • Markaos@lemmy.one
            0·
            9 months ago

            If you boot the computer into the currently installed OS, you will be presented with a login screen and will have to enter the correct password to log in (kernel parameters are part of the checksums, so booting into single-user mode won’t help you, that counts as a modified OS). If you boot a different OS, you won’t get the key off the TPM.

            • GlitzyArmrest@lemmy.worldEnglish
              0·
              9 months ago

              It’s not clear to me that OP is using the TPM though. If they aren’t, then automatically unlocking defeats the entire purpose.

              • Markaos@lemmy.one
                0·
                9 months ago

                Yes, but they are asking how to set up FDE in the same way it works on Windows, where automatic unlocking works using TPM. They just don’t know the technical details.

                • GlitzyArmrest@lemmy.worldEnglish
                  0·
                  9 months ago

                  Indeed. My work laptop running Ubuntu has a TPM and its use is enforced through the organization. For that machine, it does automatically unlock. But again, it requires using the TPM.

        • Jediwan@lemy.lolOP
          0·
          9 months ago

          I don’t suppose you know of a tutorial to get this set up? Google turned up nothing.

        • Confused_Emus@lemmy.world
          0·
          9 months ago

          I see. I don’t know that the usual drive encryption you set up during Linux install works with that, but there are BitLocker-like programs for Linux that might.

      • Jediwan@lemy.lolOP
        0·
        9 months ago

        as long as you don’t set a drive encryption password to be entered at BIOS load before the OS loads, which is what you’ve done.

        MacOS does ask for a different password during setup, which you never have to use again unless you want to access the drive on a different PC.