this post was submitted on 24 Feb 2024
92 points (76.4% liked)

Linux

48709 readers
1079 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
 

I recently switched to Linux (Zorin OS) and I selected "use ZFS and encrypt" during installation. Now before I can log in it asks me "please unlock disk keystore-rpool" and I have to type in the encryption password it before I'm able to get to the login screen.

Is there a way to do this automatically like with Windows or MacOS? Zorin has biometric login which is nice but this defeats the purpose especially because the encryption password is long and tedious to type in.

Also might TPM have anything to do with this?

EDIT: Based on the responses I have to assume some of you guys live in windowless underground bunkers sealed off with concrete because door locks "aren't secure against battering rams". Normal people don't need perfect encryption they just want to add an extra hurdle or two for the crackhead who steals the PC. I assumed Linux had a system similar to what Windows or MacOS has been doing for a decade but I am apparently wrong.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 47 points 10 months ago (4 children)

If you're having it automatically unlock the drive at boot, it kind of defeats the purpose. If someone steals your tower, they can boot it and copy the unencrypted contents since it automatically unlocks.

[–] [email protected] 19 points 10 months ago (1 children)

OP isn't asking for it to decrypt automatically. OP is asking for the entering the decryption password to also log you in. That way you only have to type the password once, instead of twice.

[–] [email protected] 5 points 10 months ago

GDM has an autologin feature, OP should use it.

[–] [email protected] 7 points 10 months ago

It depends on where the encryption data is stored. If the bootloader and bios/efi are locked down and the data to unlock is stored in an encrypted enclave or one is using a TPM (and not an external chip one that can be sniffed with a pi), that's a reasonable protection for the OS even if somebody gains physical access.

You could also store the password in the EFI, or on a USB stick etc. It doesn't help you much against longer-term physical access but it can help if somebody just grabs the drive. It's also useful to protect the drive if it's being disposed of as the crypto is tied to other hardware.

Even just encrypting the main OS with the keys in the boot/initrd has benefit, as ensuring that part is well-wiped makes asset disposal safe(r). Some motherboards have an on-board SDCard or USB slot which your can use for the boot partition. It means I don't have to take a drill to my drives before I dispose of them

[–] [email protected] 4 points 10 months ago (2 children)

How would they be able to copy the unencrypted contents? They still can't do anything without logging in.

[–] [email protected] 11 points 10 months ago (2 children)

Bypassing login is not difficult on a lot of OS.

[–] [email protected] 8 points 10 months ago* (last edited 10 months ago)

Yeah, but a lot of those things will trip the TPM module, so you will get a different decryption key if you for example try to use the single kernel parameter to boot into a root shell. And different decryption key means no access to the data.

[–] [email protected] 5 points 10 months ago (1 children)

At least on Windows that requires booting the PC from some other media, and that wouldn't work with the drive encrypted because you have no access to the files you need to modify.

Is it similar with Linux, or do you mean you can actually bypass login from the OS that's already booted up??

[–] [email protected] 1 points 10 months ago* (last edited 10 months ago)

It is similar in Linux. Vulnerabilities, bugs, or enough time will get through on any OS so people have to decide on their personal level of paranoia. A lot of people have very little idea how a TPM or sealing key material works.

[–] [email protected] 1 points 10 months ago (1 children)

By intercepting the key on hardware level

[–] [email protected] 7 points 10 months ago (3 children)

Perfect security doesn't exist. If they've got the engineering capital required to design and manufacture key retrieval hardware, you lost the moment they gained physical access to your equipment.

[–] [email protected] 4 points 10 months ago (1 children)

If they have the capability to extract the key, they probably also have the computational resources to brute-force the passphrase. It's not a meaningful difference.

[–] [email protected] 2 points 10 months ago

Most brute-force attacks can be hardened against. Again there's no perfect security, just better security.

[–] [email protected] 3 points 10 months ago* (last edited 10 months ago) (1 children)

I agree. Physical access to the device and its often game over.

Sadly reading off the key is already trivial in some cases as showcased in this recent video by stacksmashing

Since the key has to be sent to the cpu in plain text it can easily be sniffed. If however the TPM is integrated in the cpu its not so easy, but then the os can be manipulated or hacked after boot with known exploits.

If you have a long and secure password for you encryption the absolute only way in is to brute force the key which is significantly harder if not impossible regardless of capital

[–] [email protected] 2 points 10 months ago

Here is an alternative Piped link(s):

video by stacksmashing

Piped is a privacy-respecting open-source alternative frontend to YouTube.

I'm open-source; check me out at GitHub.

[–] [email protected] 1 points 10 months ago* (last edited 10 months ago)

If he uses TPM. I'm not aginst OP using it but he needs to understand the drawbacks. At least I hope he will.

[–] [email protected] 1 points 10 months ago

I dont think you can. Can you read SSD storage while that is running? The drive needs to be decrypted using the TPM, and that should only work when its plugged in.