I recently switched to Linux (Zorin OS) and I selected “use ZFS and encrypt” during installation. Now before I can log in it asks me “please unlock disk keystore-rpool” and I have to type in the encryption password it before I’m able to get to the login screen.
Is there a way to do this automatically like with Windows or MacOS? Zorin has biometric login which is nice but this defeats the purpose especially because the encryption password is long and tedious to type in.
Also might TPM have anything to do with this?
EDIT: Based on the responses I have to assume some of you guys live in windowless underground bunkers sealed off with concrete because door locks “aren’t secure against battering rams”. Normal people don’t need perfect encryption they just want to add an extra hurdle or two for the crackhead who steals the PC. I assumed Linux had a system similar to what Windows or MacOS has been doing for a decade but I am apparently wrong.
I was kinda annoyed at double password login when I setup my system too. So what I did was just enable automatic login for my user since I’m the only one. I just treat my disk password as my login form so I just enter one password. I still have a user password for things like sudo and other permissions handling when I’m logged in but getting into a new session is automatic on startup so it doesn’t annoy me anymore. Would that work for you?
That’s exactly what I do lol.
I think this is what I might have to do as I really don’t want to go back to Windows. I don’t suppose if you know if there is a way to lock the drive upon logging out? Or do I need to do a full shutdown every time.
Move your swap to encrypted part of your drive and suspend to disk. ;)
IIRC and I may be wrong here the drive stays encrypted in sleep. Decryption is done in real time via your CPU. However the encryption key is stored in unencrypted RAM. Which is why the other comment suggests encrypting swap and hibernating, this writes RAM to disk.
I’m not sure LUKs can lock a drive that’s booted already since it’s not a RAM session like a live CD is and relies on the decrypted files to operate. This is why the encryption key is prompted from your boot manager prior to actually getting the system running. That said, I lock my computer all the time and just rely on the normal user password to get back in.
Same. Not at all interesting.
Boot up password -> ATA DriveLock password -> LUKS FDE password -> Login password, that’s where it’s at.
/j
It’s just funny situation if you forget the DriveLock master password. Yes, it has 2 passwords. The master password is needed to remove the user password which is used for unlocking. If you forget the master password, you can’t ever reset the user password. If you forget both, you upgraded the drive to a paperweight. Additionally, some BIOSes may do hidden key derivation, store the master password in TPM, or do some other crap, so it’s generally not recommended unless you actually need it.
This can also be set in
hdparm
.Also, I have no idea what way there is for NVME drives, as this uses ATA commands. It’s also good to note that some drives use this for hardware-based encryption, and some don’t. So it brings varying security.
That’s why I have a password manager on my phone.