98
submitted 8 months ago* (last edited 8 months ago) by flork@lemy.lol to c/linux@lemmy.ml

I recently switched to Linux (Zorin OS) and I selected "use ZFS and encrypt" during installation. Now before I can log in it asks me "please unlock disk keystore-rpool" and I have to type in the encryption password it before I'm able to get to the login screen.

Is there a way to do this automatically like with Windows or MacOS? Zorin has biometric login which is nice but this defeats the purpose especially because the encryption password is long and tedious to type in.

Also might TPM have anything to do with this?

EDIT: Based on the responses I have to assume some of you guys live in windowless underground bunkers sealed off with concrete because door locks "aren't secure against battering rams". Normal people don't need perfect encryption they just want to add an extra hurdle or two for the crackhead who steals the PC. I assumed Linux had a system similar to what Windows or MacOS has been doing for a decade but I am apparently wrong.

you are viewing a single comment's thread
view the rest of the comments
[-] umami_wasbi@lemmy.ml 13 points 8 months ago

They give up some security by gaining convenience and slightly better UX.

I can't vet Apple's security, but TPM isn't a silver bullet either.

https://hacky.solutions/blog/2024/02/tpm-attack

[-] flork@lemy.lol 3 points 8 months ago

Yeah I don't need a silver bullet I'm not storing highly sensitive data, I just mistakenly assumed this would be easier.

[-] umami_wasbi@lemmy.ml 2 points 8 months ago

Great to hear. TPM is totally usable if your threat model can tolerate the risk. Sadly Linux is a bit lacking support for TPM in FDE. You can try the Nitrokey with GPG method without pin I wrote in the other thread if you hit the wall. Good luck!

Here's a guide if you want FDE with TPM: https://blastrock.github.io/fde-tpm-sb.html

[-] Bitrot@lemmy.sdf.org 3 points 8 months ago* (last edited 8 months ago)

Linux works fine with the TPM, systemd even includes it as a feature (although Ubuntu patches it out, Fedora does not). Takes two commands to enable it, although you can get very into the weeds like that guide does if you are concerned about real bad actors instead of common thieves.

[-] umami_wasbi@lemmy.ml 2 points 8 months ago

That I doesn't know Ubuntu patches it out.

[-] Bitrot@lemmy.sdf.org 1 points 8 months ago

The decision had to do with not having unified kernel images or something, essentially the decision that it couldn’t be done securely enough so they didn’t allow it at all even if you understand the risks. I don’t agree with the philosophy.

The next LTS should have official support in the installer (experimental in 23.10), and with signed binaries that will increase security substantially. Unfortunately it depends on snap.

this post was submitted on 24 Feb 2024
98 points (77.2% liked)

Linux

48058 readers
1073 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS