this post was submitted on 24 Feb 2024
99 points (77.7% liked)

Linux

48329 readers
1418 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
 

I recently switched to Linux (Zorin OS) and I selected "use ZFS and encrypt" during installation. Now before I can log in it asks me "please unlock disk keystore-rpool" and I have to type in the encryption password it before I'm able to get to the login screen.

Is there a way to do this automatically like with Windows or MacOS? Zorin has biometric login which is nice but this defeats the purpose especially because the encryption password is long and tedious to type in.

Also might TPM have anything to do with this?

EDIT: Based on the responses I have to assume some of you guys live in windowless underground bunkers sealed off with concrete because door locks "aren't secure against battering rams". Normal people don't need perfect encryption they just want to add an extra hurdle or two for the crackhead who steals the PC. I assumed Linux had a system similar to what Windows or MacOS has been doing for a decade but I am apparently wrong.

you are viewing a single comment's thread
view the rest of the comments
[–] Max_P@lemmy.max-p.me 38 points 9 months ago (2 children)

You ended up with full disk encryption. For most people, it's the simple option, everything is encrypted. That means the OS can't start without the key, because you're the only holder of the key. It's both dead simple, and pretty bulletproof since there's no way to access the system without the password. But as you said, not everyone wants that.

What you're asking for is an encrypted home directory. It's not that Linux can't do it, it's just not what you got. Depending on the use case you can either use TPM to unlock the root partition to boot, or not encrypt the system itself. Then when you log in, it decrypts a separate partition (or use ZFS native encryption, or use fscrypt if your filesystem supports it, or use an overlay filesystem like go-cryptfs).

So it's not that Linux doesn't support your use case but rather your distro doesn't offer it as an installation option. From there you either configure it yourself (ArchWiki is great regardless of distro), or seek out a distro that does.

Linux is not an operating system, it's just the kernel. What makes it an OS is what distros build on top of it. Linux alone is not that useful, hence the basis of the GNU+Linux memes: it's Linux, plus a lot of GNU tools to make it do useful things, plus a desktop environment and a whole bunch of other libraries and applications, plus the distro's touch tying it all together in a mostly cohesive experience.

[–] Miaou@jlai.lu 5 points 9 months ago (1 children)

But I'm confused, the decryption of the home directory needs the owners secret to be entered at some point? I don't see how this solves Op's problem (which I also don't understand, you want encryption, you need to decrypt stuff at some point)

[–] Max_P@lemmy.max-p.me 9 points 9 months ago (1 children)

Yes, the question is when and how.

You can enter it in the bootloader as a prerequisite to boot anything. You can also enter it at the display manager / login screen, which is a little further down the boot process.

My desktop for example can boot up to the login screen and perform its NAS and routing duties all on its own. But my user and all of my user's data is still locked at that point: the computer is usable by guests and everything but even if you manage to throw a root exploit at it, my data is completely safe. Only when I log in, either locally or remotely, my password will go through PAM which will run a script that uses my password to unlock my home directory and mount it as I'm logging in.

What changes is what is covered by the encryption, and when the key is required. My root is auto unlocked via TPM, my home is unlocked on demand as I log in to my user account.

OP's problem is they have full disk encryption so they need the password to boot up Linux at all, but they also get a second password prompt to log in when it reaches the display manager, even if it's the same password. The solution is either they configure it to auto login since you need a password for the whole OS anyway, or they automate the unlocking of the root partition and use their login password to further decrypt the home directory (or rely entirely on the system being secure that the user isn't encrypted further and it's just a password prompt, which is what I think Windows does).

[–] Miaou@jlai.lu 1 points 9 months ago

I see, thanks for the explanation. After asking you I kept on reading the comments and understood how tpm helps with the auto decryption.

I still think full disk encryption with auto login is more than enough, at least that's what I have, and as you can tell anyone can set that up easily.