this post was submitted on 24 Feb 2024
99 points (77.7% liked)
Linux
48329 readers
1418 users here now
From Wikipedia, the free encyclopedia
Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).
Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.
Rules
- Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
- No misinformation
- No NSFW content
- No hate speech, bigotry, etc
Related Communities
Community icon by Alpár-Etele Méder, licensed under CC BY 3.0
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Assuming you want:
There are several ways to achieve this:
autologin (recommended for single user system): / is encrypted using luks or zfs native encryption and user's home needs to be unencrypted. User's password may be same as encryption password for convenience, though they still are two passwords used for different purposes.
pam mount: / is unencrypted or auto-decrypted and user's home is encrypted independently from / using zfs,luks,fscrypt,etc. In this case, user's login password must be same as user's home encryption password. It's suitable for multi-user system. NOTE: It cannot be used with autologin since user's home needs to be decrypted to log in.
WARNING: For tpm usage, using secure boot is highly recommended to prevent unauthorized user from accessing key stored in tpm.
To prevent auto-decrypt with tpm, tpm-pin can be used (with autologin for requirement #1).
systemd-cryptenroll with/without tpm: As far as I know it can be only used to unlock disk encrypted with luks2. It can be used without tpm with pkcs11-token (e.g. YubiKey) or fido2-device. It also uses parameter encryption while key is unsealed, so safe from key sniffing via communication bus. This is easy if secure boot is enabled and luks2 is used for encryption.
clevis with tpm: It can be used in place of systemd-cryptenroll. May be used with zfs native encryption. Though I'm not sure if it uses parameter encryption (correct me).
unencrypted keyfile on usb: Not sure about zfs, but you can use keyfile on a usb drive to decrypt luks containers.
NOTE: I'm not a forensic/security expert. I listed a brief overview of methods I could think of to keep user's files encrypted while providing single password till login.
Auto decrypt with TPM sounds fine to me but I have no idea what TPM is as this is my first PC with it.
Thanks for the great response though I'll look into these
Read Skull giver's reply or look it up.
Re-reading your post, I take you want to avoid typing long and tedious password? And that's why you want to auto-decrypt?
man systemd-cryptenroll
regarding tpm2-pin:usb drive: read previous comment
clevis: It probably isn't as simple as systemd-cryptenroll but I guess you can use zfs and combine that with tpm2-pin if not using secure boot (discouraged).
You'll have to make a compromise somewhere between security and convenience. Even if you use pam mount, you'll have to enter the password, biometrics won't do.
Edit: remove unnecessary user tag and add img uri
systemd-homed can also do it.
oh, I forgot. Thanks for mentioning that :)