I recently switched to Linux (Zorin OS) and I selected “use ZFS and encrypt” during installation. Now before I can log in it asks me “please unlock disk keystore-rpool” and I have to type in the encryption password it before I’m able to get to the login screen.

Is there a way to do this automatically like with Windows or MacOS? Zorin has biometric login which is nice but this defeats the purpose especially because the encryption password is long and tedious to type in.

Also might TPM have anything to do with this?

EDIT: Based on the responses I have to assume some of you guys live in windowless underground bunkers sealed off with concrete because door locks “aren’t secure against battering rams”. Normal people don’t need perfect encryption they just want to add an extra hurdle or two for the crackhead who steals the PC. I assumed Linux had a system similar to what Windows or MacOS has been doing for a decade but I am apparently wrong.

  • Max-P@lemmy.max-p.me
    link
    fedilink
    arrow-up
    34
    arrow-down
    2
    ·
    10 months ago

    You ended up with full disk encryption. For most people, it’s the simple option, everything is encrypted. That means the OS can’t start without the key, because you’re the only holder of the key. It’s both dead simple, and pretty bulletproof since there’s no way to access the system without the password. But as you said, not everyone wants that.

    What you’re asking for is an encrypted home directory. It’s not that Linux can’t do it, it’s just not what you got. Depending on the use case you can either use TPM to unlock the root partition to boot, or not encrypt the system itself. Then when you log in, it decrypts a separate partition (or use ZFS native encryption, or use fscrypt if your filesystem supports it, or use an overlay filesystem like go-cryptfs).

    So it’s not that Linux doesn’t support your use case but rather your distro doesn’t offer it as an installation option. From there you either configure it yourself (ArchWiki is great regardless of distro), or seek out a distro that does.

    Linux is not an operating system, it’s just the kernel. What makes it an OS is what distros build on top of it. Linux alone is not that useful, hence the basis of the GNU+Linux memes: it’s Linux, plus a lot of GNU tools to make it do useful things, plus a desktop environment and a whole bunch of other libraries and applications, plus the distro’s touch tying it all together in a mostly cohesive experience.

    • Skull giver@popplesburger.hilciferous.nl
      link
      fedilink
      arrow-up
      6
      ·
      10 months ago

      On other operating systems, biometrics allow you to unlock the disk (through the TPM) and immediately authenticate you on boot. I don’t think an encrypted home directory will help OP.

      I’m not aware of any Linux implementation of this system. I should also say that this is terribly broken on Windows, with any attacker being able to add their own fingerprints into the key store using an alternative boot drive, because every version of the spec is implemented horribly insecurely.

      • Pantherina@feddit.de
        link
        fedilink
        arrow-up
        1
        ·
        10 months ago

        Fprintd is the only biometrics I know and hardware support is very limited. There are no easily accessible usb fingerprint readers either, which would allow easy testing and recommending.

        I think if we could reverse engineer some kensington / etc. fprint sensor that would be huge.

        • Skull giver@popplesburger.hilciferous.nl
          link
          fedilink
          English
          arrow-up
          1
          ·
          10 months ago

          Even the basic Synaptics sensor present in many laptops has its own “secure” protocol that Windows uses, and those laptops tend to be very popular with Linux developers. From what I can tell, fingerprint support is actually quite good in comparison to many other forms of niche hardware.

          However, the super-modular everything-in-usespace Linux approach doesn’t really lend itself to the kind of security mechanisms Windows and macOS try to accomplish. Microsoft has SDCP, but that doesn’t protect them completely, in part because these devices allow insecure configuration methods to support Linux, in part because their firmware and security design is just not very good.

          Someone writing a good SDCP driver for Linux would be a good start for getting Windows-like trust in biometrics so fingerprint hardware could refuse insecure configurations, but I don’t know if that’s something being worked on. As it stands, the Linux implementation is part of the reason why the Windows implementation can be bypassed with a screwdriver and a RPi…

    • Miaou@jlai.lu
      link
      fedilink
      arrow-up
      5
      ·
      10 months ago

      But I’m confused, the decryption of the home directory needs the owners secret to be entered at some point? I don’t see how this solves Op’s problem (which I also don’t understand, you want encryption, you need to decrypt stuff at some point)

      • Max-P@lemmy.max-p.me
        link
        fedilink
        arrow-up
        9
        ·
        10 months ago

        Yes, the question is when and how.

        You can enter it in the bootloader as a prerequisite to boot anything. You can also enter it at the display manager / login screen, which is a little further down the boot process.

        My desktop for example can boot up to the login screen and perform its NAS and routing duties all on its own. But my user and all of my user’s data is still locked at that point: the computer is usable by guests and everything but even if you manage to throw a root exploit at it, my data is completely safe. Only when I log in, either locally or remotely, my password will go through PAM which will run a script that uses my password to unlock my home directory and mount it as I’m logging in.

        What changes is what is covered by the encryption, and when the key is required. My root is auto unlocked via TPM, my home is unlocked on demand as I log in to my user account.

        OP’s problem is they have full disk encryption so they need the password to boot up Linux at all, but they also get a second password prompt to log in when it reaches the display manager, even if it’s the same password. The solution is either they configure it to auto login since you need a password for the whole OS anyway, or they automate the unlocking of the root partition and use their login password to further decrypt the home directory (or rely entirely on the system being secure that the user isn’t encrypted further and it’s just a password prompt, which is what I think Windows does).

        • Miaou@jlai.lu
          link
          fedilink
          arrow-up
          1
          ·
          10 months ago

          I see, thanks for the explanation. After asking you I kept on reading the comments and understood how tpm helps with the auto decryption.

          I still think full disk encryption with auto login is more than enough, at least that’s what I have, and as you can tell anyone can set that up easily.