I recently switched to Linux (Zorin OS) and I selected “use ZFS and encrypt” during installation. Now before I can log in it asks me “please unlock disk keystore-rpool” and I have to type in the encryption password it before I’m able to get to the login screen.
Is there a way to do this automatically like with Windows or MacOS? Zorin has biometric login which is nice but this defeats the purpose especially because the encryption password is long and tedious to type in.
Also might TPM have anything to do with this?
EDIT: Based on the responses I have to assume some of you guys live in windowless underground bunkers sealed off with concrete because door locks “aren’t secure against battering rams”. Normal people don’t need perfect encryption they just want to add an extra hurdle or two for the crackhead who steals the PC. I assumed Linux had a system similar to what Windows or MacOS has been doing for a decade but I am apparently wrong.
Kinda curious as to the point of drive encryption if you just want it to automatically unlock on boot.
Encryption makes it more difficult to copy data from the drive. Windows and MacOS can manage to encrypt drives without requiring two different passwords, I mistakenly assumed Linux could too.
If you’re having it automatically unlock the drive at boot, it kind of defeats the purpose. If someone steals your tower, they can boot it and copy the unencrypted contents since it automatically unlocks.
OP isn’t asking for it to decrypt automatically. OP is asking for the entering the decryption password to also log you in. That way you only have to type the password once, instead of twice.
GDM has an autologin feature, OP should use it.
It depends on where the encryption data is stored. If the bootloader and bios/efi are locked down and the data to unlock is stored in an encrypted enclave or one is using a TPM (and not an external chip one that can be sniffed with a pi), that’s a reasonable protection for the OS even if somebody gains physical access.
You could also store the password in the EFI, or on a USB stick etc. It doesn’t help you much against longer-term physical access but it can help if somebody just grabs the drive. It’s also useful to protect the drive if it’s being disposed of as the crypto is tied to other hardware.
Even just encrypting the main OS with the keys in the boot/initrd has benefit, as ensuring that part is well-wiped makes asset disposal safe®. Some motherboards have an on-board SDCard or USB slot which your can use for the boot partition. It means I don’t have to take a drill to my drives before I dispose of them
Removed by mod
Bypassing login is not difficult on a lot of OS.
Yeah, but a lot of those things will trip the TPM module, so you will get a different decryption key if you for example try to use the
single
kernel parameter to boot into a root shell. And different decryption key means no access to the data.At least on Windows that requires booting the PC from some other media, and that wouldn’t work with the drive encrypted because you have no access to the files you need to modify.
Is it similar with Linux, or do you mean you can actually bypass login from the OS that’s already booted up??
It is similar in Linux. Vulnerabilities, bugs, or enough time will get through on any OS so people have to decide on their personal level of paranoia. A lot of people have very little idea how a TPM or sealing key material works.
By intercepting the key on hardware level
Removed by mod
Removed by mod
Removed by mod
I agree. Physical access to the device and its often game over.
Sadly reading off the key is already trivial in some cases as showcased in this recent video by stacksmashing
Since the key has to be sent to the cpu in plain text it can easily be sniffed. If however the TPM is integrated in the cpu its not so easy, but then the os can be manipulated or hacked after boot with known exploits.
If you have a long and secure password for you encryption the absolute only way in is to brute force the key which is significantly harder if not impossible regardless of capital
Here is an alternative Piped link(s):
Piped is a privacy-respecting open-source alternative frontend to YouTube.
I’m open-source; check me out at GitHub.
If he uses TPM. I’m not aginst OP using it but he needs to understand the drawbacks. At least I hope he will.
I dont think you can. Can you read SSD storage while that is running? The drive needs to be decrypted using the TPM, and that should only work when its plugged in.
But if you have it set to unlock automatically…? It’s not like the drive is going to know it’s you booting it vs someone else if you’re not having to enter the password.
Windows and Mac can indeed encrypt drives without two passwords - as long as you don’t set a drive encryption password to be entered at BIOS load before the OS loads, which is what you’ve done.
The idea is to use TPM to store the keys - if you boot into a modified OS, TPM won’t give you the same key so automatic unlock will fail. And protection against somebody just booting the original system and copying data off it is provided by the system login screen.
Voilà, automatic drive decryption with fingerprint unlock to log into the OS. That’s what Windows does anyway.
I don’t suppose you know of a tutorial to get this set up? Google turned up nothing.
Might be pretty complicated. https://www.reddit.com/r/zfs/comments/dimtjv// Your best bet is probably to enable autologin and use the same password for the encryption
I see. I don’t know that the usual drive encryption you set up during Linux install works with that, but there are BitLocker-like programs for Linux that might.
Although OPs scenario is if someone steals the tower, in which case it’s not a different TPM. Would only help if the drives were yanked, which honestly I’d probably do rather than try to take the whole tower.
If you boot the computer into the currently installed OS, you will be presented with a login screen and will have to enter the correct password to log in (kernel parameters are part of the checksums, so booting into single-user mode won’t help you, that counts as a modified OS). If you boot a different OS, you won’t get the key off the TPM.
deleted by creator
Yes, but they are asking how to set up FDE in the same way it works on Windows, where automatic unlocking works using TPM. They just don’t know the technical details.
as long as you don’t set a drive encryption password to be entered at BIOS load before the OS loads, which is what you’ve done.
MacOS does ask for a different password during setup, which you never have to use again unless you want to access the drive on a different PC.
How… How would they get the drive? Would n that need access to your computer? I imagine at that point they could turn it on first and copy your data that way, no?
Disk encryptions entire point is securing against physical access
No. With FDE, an adversary can’t just trun it on and copy data unless there are some 0day on the login that allows exectuing arbitrary codes.
Or you use TPM, which you can get the key out of
It’s disappointing to see so many commentors arguing against you wanting to do this. Windows has it through bitlocker which is secured via the TPM as you know. Yes it can be bypassed, but it’s all about your threat level and effort into mitigating it.
I am currently using a TPM on my opensuse tumbleweed machine to auto unencrypt my drive during boot. What you want to do is possible, but not widely supported (yet). Unfortunately, the best I can do is point you to the section in the opensuse wiki that worked for me.
https://en.opensuse.org/SDB:Encrypted_root_file_system
If you scroll down on that page you’ll see the section about TPM support. I don’t know how well it will play with your OS. As always, back up all your files before messing with hard drive encryption. Best of luck!
Sums up about every thread asking how to do something on Linux, 30 different responses on how the OP is wrong and shouldn’t do it that way.
To be fair there are probably many different ways to solve the problem. I’m somewhat experienced with Linux and I’ve attempted seeing up TPM LUKS decryption on boot. It’s certainly not easy or at least wasn’t when I tried. For non experienced people it’s easier to just enter the password at boot and enable auto login. Then you get the security, software, ethics, or licensing debates that accompany most Linux discussions.
I mean it’s somewhat of a meme. But XY-Problems are super common. I also sometimes learned something new and that my approach wasn’t the best and I’m kinda experienced with Linux. It’s usually more the annoying and stupid people who don’t want to explain what they’re trying to achieve even if asked and insist on going with the path they’ve chosen without listening to advice… On the other hand it’s a balance. There are also nerds without social skills who don’t explain things well. But in my experience it’s frequently XY-Problems and the people asking for advice not listening.
Thanks, Zorin is based on Ubuntu so I have to assume it will be up to date with stuff like TPM which is 15 years old. The data on the page you linked is pretty advanced for me but I’ll give it a shot. Appreciate you addressing my question.
Ubuntu isn’t really on the cutting edge, so I’m not sure how well its going to work. Opensuse tumbleweed is running pretty much the latest everything, so its possible youll need to wait until the next Ubuntu lts
Yeah, holy shit is this comment section toxic. Why are people downvoting for someone asking for help and not being a dick?
Is this whole community like this? Are the mods okay with this behavior?
This is also what I would recommend and is most similar to the windows experience
You ended up with full disk encryption. For most people, it’s the simple option, everything is encrypted. That means the OS can’t start without the key, because you’re the only holder of the key. It’s both dead simple, and pretty bulletproof since there’s no way to access the system without the password. But as you said, not everyone wants that.
What you’re asking for is an encrypted home directory. It’s not that Linux can’t do it, it’s just not what you got. Depending on the use case you can either use TPM to unlock the root partition to boot, or not encrypt the system itself. Then when you log in, it decrypts a separate partition (or use ZFS native encryption, or use fscrypt if your filesystem supports it, or use an overlay filesystem like go-cryptfs).
So it’s not that Linux doesn’t support your use case but rather your distro doesn’t offer it as an installation option. From there you either configure it yourself (ArchWiki is great regardless of distro), or seek out a distro that does.
Linux is not an operating system, it’s just the kernel. What makes it an OS is what distros build on top of it. Linux alone is not that useful, hence the basis of the GNU+Linux memes: it’s Linux, plus a lot of GNU tools to make it do useful things, plus a desktop environment and a whole bunch of other libraries and applications, plus the distro’s touch tying it all together in a mostly cohesive experience.
On other operating systems, biometrics allow you to unlock the disk (through the TPM) and immediately authenticate you on boot. I don’t think an encrypted home directory will help OP.
I’m not aware of any Linux implementation of this system. I should also say that this is terribly broken on Windows, with any attacker being able to add their own fingerprints into the key store using an alternative boot drive, because every version of the spec is implemented horribly insecurely.
Fprintd is the only biometrics I know and hardware support is very limited. There are no easily accessible usb fingerprint readers either, which would allow easy testing and recommending.
I think if we could reverse engineer some kensington / etc. fprint sensor that would be huge.
Even the basic Synaptics sensor present in many laptops has its own “secure” protocol that Windows uses, and those laptops tend to be very popular with Linux developers. From what I can tell, fingerprint support is actually quite good in comparison to many other forms of niche hardware.
However, the super-modular everything-in-usespace Linux approach doesn’t really lend itself to the kind of security mechanisms Windows and macOS try to accomplish. Microsoft has SDCP, but that doesn’t protect them completely, in part because these devices allow insecure configuration methods to support Linux, in part because their firmware and security design is just not very good.
Someone writing a good SDCP driver for Linux would be a good start for getting Windows-like trust in biometrics so fingerprint hardware could refuse insecure configurations, but I don’t know if that’s something being worked on. As it stands, the Linux implementation is part of the reason why the Windows implementation can be bypassed with a screwdriver and a RPi…
But I’m confused, the decryption of the home directory needs the owners secret to be entered at some point? I don’t see how this solves Op’s problem (which I also don’t understand, you want encryption, you need to decrypt stuff at some point)
Yes, the question is when and how.
You can enter it in the bootloader as a prerequisite to boot anything. You can also enter it at the display manager / login screen, which is a little further down the boot process.
My desktop for example can boot up to the login screen and perform its NAS and routing duties all on its own. But my user and all of my user’s data is still locked at that point: the computer is usable by guests and everything but even if you manage to throw a root exploit at it, my data is completely safe. Only when I log in, either locally or remotely, my password will go through PAM which will run a script that uses my password to unlock my home directory and mount it as I’m logging in.
What changes is what is covered by the encryption, and when the key is required. My root is auto unlocked via TPM, my home is unlocked on demand as I log in to my user account.
OP’s problem is they have full disk encryption so they need the password to boot up Linux at all, but they also get a second password prompt to log in when it reaches the display manager, even if it’s the same password. The solution is either they configure it to auto login since you need a password for the whole OS anyway, or they automate the unlocking of the root partition and use their login password to further decrypt the home directory (or rely entirely on the system being secure that the user isn’t encrypted further and it’s just a password prompt, which is what I think Windows does).
I see, thanks for the explanation. After asking you I kept on reading the comments and understood how tpm helps with the auto decryption.
I still think full disk encryption with auto login is more than enough, at least that’s what I have, and as you can tell anyone can set that up easily.
Removed by mod
This is solid advice
What I do for a little extra security is that my encryption password is just a longer variation of my normal password. So of I have an encrypted password sentence like “correct battery staple horse” my login password would just be “correct battery”. It’s a simple way to add a little extra and a good reminder everytime I turn on my computer that they are in fact two different passwords and protect me differently.
EDIT: Based on the responses I have to assume some of you guys live in windowless underground bunkers sealed off with concrete. Normal people don’t need perfect encryption they just want to add an extra hurdle or two for the crackhead who steals the PC. I assumed Linux had a system similar to what Windows or MacOS has been doing for a decade but I am apparently wrong.
I am sorry you were treated like this and downvoted for just asking for help without being a jerk at all.
I was kinda annoyed at double password login when I setup my system too. So what I did was just enable automatic login for my user since I’m the only one. I just treat my disk password as my login form so I just enter one password. I still have a user password for things like sudo and other permissions handling when I’m logged in but getting into a new session is automatic on startup so it doesn’t annoy me anymore. Would that work for you?
That’s exactly what I do lol.
I think this is what I might have to do as I really don’t want to go back to Windows. I don’t suppose if you know if there is a way to lock the drive upon logging out? Or do I need to do a full shutdown every time.
Move your swap to encrypted part of your drive and suspend to disk. ;)
IIRC and I may be wrong here the drive stays encrypted in sleep. Decryption is done in real time via your CPU. However the encryption key is stored in unencrypted RAM. Which is why the other comment suggests encrypting swap and hibernating, this writes RAM to disk.
I’m not sure LUKs can lock a drive that’s booted already since it’s not a RAM session like a live CD is and relies on the decrypted files to operate. This is why the encryption key is prompted from your boot manager prior to actually getting the system running. That said, I lock my computer all the time and just rely on the normal user password to get back in.
I was kinda annoyed at double password login
Same. Not at all interesting.
Boot up password -> ATA DriveLock password -> LUKS FDE password -> Login password, that’s where it’s at.
/jIt’s just funny situation if you forget the DriveLock master password. Yes, it has 2 passwords. The master password is needed to remove the user password which is used for unlocking. If you forget the master password, you can’t ever reset the user password. If you forget both, you upgraded the drive to a paperweight. Additionally, some BIOSes may do hidden key derivation, store the master password in TPM, or do some other crap, so it’s generally not recommended unless you actually need it.
This can also be set inhdparm
.
Also, I have no idea what way there is for NVME drives, as this uses ATA commands. It’s also good to note that some drives use this for hardware-based encryption, and some don’t. So it brings varying security.If you forget both, you upgraded the drive to a paperweight.
That’s why I have a password manager on my phone.
Afaik you can’t. Disk encryption requires entering the password every time and it asks for it BEFORE the OS is started so you can’t use biometric login either
Windows can use biometrics to unlock the TPM and authenticate the user with just one single fingerprint touch. Authentication platforms like Windows Hello use the TPM to authenticate the user, which means the TPM PIN can be used both as a “password” and as the unlock mechanism for Bitlocker disks.
I’m not aware of any Linux solution that will let you unlock the TPM with biometrics.
I should also add that last time I read about this system in Windows, someone checked three laptops and found three different ways in which an attacker could trick the biometrics into adding extra fingerprints, including the official Microsoft hardware.
Good enough for crackheads stealing the laptop and not having them be able to access your dick pics, not good enough for someone actually after your data.
That’s not technically true as enabling bitlocker on windows and filevault on Mac don’t require two different passwords.
Mac will ask you to “log in” very early in the boot process to decrypt the disk, I assume it keeps the drive key encrypted with your password somewhere.
That’s just not true I have two macs with it enabled on both and it requires a single “normal” password
That’s likely because your Macs are using the TPM. Does your Linux machine have a TPM, and are you using it?
I don’t think so, they are both intel macs over 10 years old and Macs didn’t start adding TPM until 2017. On Mac, when you check the box to encrypt the drive during install you’re prompted for an encryption password which you never need to use again unless you remove the drive and put it into another mac (or in my case add a second hard drive and use the original as “extra” storage).
Macs had TPMs before Windows PCs, IIRC.
Yes normal password but it happens super early on mine, and once you log in there is a boot progress bar afterwards. This is an Intel Mac, might be different on apple chips.
Sorry idk much about Windows and Mac. But what you said sounds like their encryption systems aren’t full disk encryption, they somehow found a way to store the password for login or they just disable the login password completely when the encryption is enabled
They are full disk encryption, and it’s using the hardware TPM.
Oh then I guess idk what TPM actually is
The TPM (trusted platform module) is a chip inside your processor (or on your motherboard) that can store cryptographic information such as encryption keys and certificates in a way that is extremely difficult to get them out without providing the proper unlock mechanism.
One method used to unlock secrets is to enter a PIN (which is alfanumeric despite the name), or by requiring an exact sequence of “measurements”. The bootloader measures “I just booted Grub”, then the kernel measures “I just started booting”, then initramfs starting is measured, etc. Combined with secure boot being configured to only boot Linux versions signed by your own key, this basically prevents the TPM from giving up its secrets unless you’ve booted the exact same operating system that stored the secure data.
These mechanisms are often combined for greater security
This automatic unlocking feature allows operating systems like Windows or Linux to encrypt the disk without ever having to enter a key. An attacker van steal the laptop, but assuming they don’t know the user password and can’t bypass the biometrics, they’ll be stuck at a secure login screen with no access to the data on disk (though LPC TPMs on the hardware can easily be eavesdropped, so this isn’t always very secure). Windows enables this mechanism by default in many configurations.
The biggest advantage is that nobody can rip out the hard drive and look at your files, nor can anyone with a boot disk just browse your files like you could back in the Windows 95-10 days.
It’s also one of the reasons Windows 11 requires modern TPMs, and doesn’t work on some relatively recent hardware without bypassing checks on the installer.
I’m also a linux noob, but I thought having to unlock the encryption before getting to the actual account was part of the point. If the encryption is always already unlocked it’s easier to break in.
Then how come Windows and MacOS don’t require two different PWs?
They give up some security by gaining convenience and slightly better UX.
I can’t vet Apple’s security, but TPM isn’t a silver bullet either.
Yeah I don’t need a silver bullet I’m not storing highly sensitive data, I just mistakenly assumed this would be easier.
Great to hear. TPM is totally usable if your threat model can tolerate the risk. Sadly Linux is a bit lacking support for TPM in FDE. You can try the Nitrokey with GPG method without pin I wrote in the other thread if you hit the wall. Good luck!
Here’s a guide if you want FDE with TPM: https://blastrock.github.io/fde-tpm-sb.html
Linux works fine with the TPM, systemd even includes it as a feature (although Ubuntu patches it out, Fedora does not). Takes two commands to enable it, although you can get very into the weeds like that guide does if you are concerned about real bad actors instead of common thieves.
That I doesn’t know Ubuntu patches it out.
The decision had to do with not having unified kernel images or something, essentially the decision that it couldn’t be done securely enough so they didn’t allow it at all even if you understand the risks. I don’t agree with the philosophy.
The next LTS should have official support in the installer (experimental in 23.10), and with signed binaries that will increase security substantially. Unfortunately it depends on snap.
You keep bringing that up. Those are different systems with different approaches to security. You can compare them to death and back and it won’t bring your system to where you want it.
People have come to you with suggestions to achieve what you want and explained the consequences. Try that instead.
Instead of encrypting the entire drive, encrypt the home folder. That way it’s unlocked when you sign in.
If you want some more convenience but don’t want to give up security, you can use hardware tokens like Nitrokey with GPG.
The process would be generate a random file using
dd
and/dev/urandom
. Set this as the key for FDE. Encrypt it using your GPG and store it on/boot
. Have a helper script to ask you plugin your Nitrokey and (optional) pin to decrypt the keyfile to have root decrypted. I had read this on some blog for dm-crypt so you will need to research and adopt to your setup.Yes there is TPM for full disk encryption.
https://gist.github.com/orhun/02102b3af3acfdaf9a5a2164bea7c3d6#using-tpm-20
Do I had problem making swap partition work. As lockdown mode is triggered.
https://man7.org/linux/man-pages/man7/kernel_lockdown.7.html
I current only encrypted home.
You can configure Linux to automatically log you in after decrypting the disk. You can also configure Linux to automatically unlock the disk through a TPM. However, like on consumer versions of Windows, this doesn’t require authentication like a fingerprint.
I have no idea how to do it on Zorin, though. There are guides online about how to do it, but they’re not written for Zorin’s target audience (Linux beginners, mostly).
I think you’re right that this stuff should be easier. However, Linux lacks proper integration between the biometrics system and the TPM that Windows and MacOS have, so what you want is technically very difficult at the moment. Unfortunately, the phobia many Linux people have for technologies like TPMs will probably make it take a while before such features will be available.
What it sounds like you want is only your home folder encrypted, where it decrypts seamlessly upon login. It sounds like you have encrypted OS root, which is more secure but necessarily requires a password before the system gets to the login screen.
Other than reinstalling your system, you do have the option of either making your decryption password shorter, and/or enabling auto-login after boot (if you’re the computer’s only user), so you’d only have to type one password instead of two.
Auto-Login makes the most sense I didn’t consider that. I’ll just have to be careful not to log out without shutting down.
I chose to use auto login for my PC. This way I’m only using my password to decrypt the drive after a reboot or the login screen after waking ffrom sleep.
Or you can do full disk encryption and store the encryption info in the TPM and lock it down against various PCRs such that changes to the boot order or firmware prevent the drive unlocking without a secondary decryption key, just like Windows and Macs do.
It’s a built in feature of systemd, among other tools.
I’m not familiar with exactly what you mean, does it not require a password to boot that way? I have full-disk encryption on my laptop but not with TPM, grub just prompts me for a password before the kernel boots
Correct. The decryption key is stored in the TPM and unsealed when specific criteria match (for example, booted from the correct drive, to the correct kernel file). Figuring out the correct values to tie it to is probably the worst part for a user, if you do it wrong it might just unseal because your EFI firmware binary hasn’t changed, which isn’t all that useful if someone is trying to break in with a live image.
Others have given you ways of doing this, with TPM or hacking away by using the same password and auto-login. Many have told you you shouldn’t, but I think no one explained why.
When the bootloader chooses the OS that OS might be on an encrypted or an unencrypted disk. If the OS is on an unencrypted disk it can be easily hacked and then all bets are off. So the only safe option is if the OS is on an encrypted disk, however to do that you need to decrypt the disk to access it. Now there are two options, either you need to provide a key for decryption (it does not need to be a password, it can be a thumb drive or fingerprint) or it happens automatically. If it happens automatically it’s the same as not having encryption.
Enter TPM, which is trying to safely automatically decrypt the disk by using hardware validation. However here’s the problem, the only reason you need disk encryption is to prevent against your hardware being stolen. If your hardware was stolen and you don’t have disk encryption people can simply read the data. If you have disk encryption they need to decrypt the disk first. However when you use TPM or anything similar the disk gets decrypted automatically, meaning that it’s almost the same as not having encryption at all.
If a hacker got a hold of your unencrypted disk they can open it on a second OS and extract the data. If they got a hold of a fully encrypted disk they are more or less screwed. But if your computer unencrypted the disk on boot all they have to do now is access the disk from your OS. There are several ways of bypassing a login, brute force it, or create new users. Not to mention possible security issues that might give the attacker access to your entire system, which is already unencrypted. Yes, having some form of encryption, even if it unencrypts automatically is better than no encryption at all, but not by much. I would argue that if you care about the data not being accessed you shouldn’t have it decrypt automatically, and if you don’t mind it decrypting automatically then encryption might be overkill for you.
If it’s LUKS encryption, yeah, you can unlock it with the TPM. I forget how. Basically you add another key to LUKS that comes from the TPM. There are guides online.