Encrypted hard drive asking for password every time

wispydust , 3 months ago

This reply isn’t going to be helpful to OP, but thought I might add context for others passing by.

I’m using Arch Linux with LUKS encryption and gdm. As long as my user’s password is the same as the LUKS password, I only ever type my password in once.

Just saying that a MacOS-like convenience is definitely possible on Linux.

flork OP , 3 months ago

Fascinating, you don’t have automatic login enabled? And I assume this is at the pre-login prompt?

wispydust , 3 months ago

Oof - forgot to mention that I do have autologin configured on gdm 😀

unhinge , 3 months ago

user’s password can be totally different from luks password if you’re using autologin. You can keep it same but that’s totally optional. You can login without entering any password at all if not using luks (or using autodecrypt), you can see that in live isos.

Pantherina , 3 months ago

Thats how encryption works. Encryption with TPM protects against removing the drive and reading somewhere else, so I suppose it makes sense for most people.

Linux Distros have this option, Ubuntu has it now I think, but on the others its often manual setup.

Just search for “cryptsetup change to tpm”

deafboy , 3 months ago

There used to be exactly what you are looking for. Encfs, and later ecryptfs could encrypt just the data in your home folder.

It was a checkbox in ubuntu installer, just like the full disk encryption today. The key was protected by the standard user password.

Unfortunately, it was deprecated due to discovered security weaknesses, and I’m not aware of any viable replacement.

Pantherina , 3 months ago

Systemd-homed does the same. But it is quite a huge change in the system, see this thread on the Fedora Discuss

deafboy , 3 months ago

Looks like it’s creating a new volume in a file, but I don’t see any type of quota being set upfront. If it scales up dynamically, it looks like a hot candidate. At this point I just hope distro maintainers settle down on something, anything, and give it a long term support.

init , 3 months ago

If you want to do away with any protection you have with opting in to a security measure, like typing in a password, why don’t you just reinstall and not select the encryption option?

Not requiring a password, or automatically entering a password to decrypt the filesystem, is essentially the same as not having encryption.

Decide which you want: Security or convenience. You cannot have both.

delirious_owl , 3 months ago

You dont want to do that.

What’s the point of encrypting something without a good passphrase? It defeats the whole purpose.

unhinge , 3 months ago

Assuming you want:

1. Single password prompt instead of auto-decrypt with tpm
2. User’s files to be encrypted

---

There are several ways to achieve this:

1. autologin (recommended for single user system):/ is encrypted using luks or zfs native encryption and user’s home needs to be unencrypted. User’s password may be same as encryption password for convenience, though they still are two passwords used for different purposes.
2. pam mount:/ is unencrypted or auto-decrypted and user’s home is encrypted independently from / using zfs,luks,fscrypt,etc. In this case, user’s login password must be same as user’s home encryption password. It’s suitable for multi-user system. NOTE: It cannot be used with autologin since user’s home needs to be decrypted to log in.

WARNING: For tpm usage, using secure boot is highly recommended to prevent unauthorized user from accessing key stored in tpm.

To prevent auto-decrypt with tpm, tpm-pin can be used (with autologin for requirement #1).

3. **systemd-cryptenroll with/without tpm:**As far as I know it can be only used to unlock disk encrypted with luks2. It can be used without tpm with pkcs11-token (e.g. YubiKey) or fido2-device. It also uses parameter encryption while key is unsealed, so safe from key sniffing via communication bus. This is easy if secure boot is enabled and luks2 is used for encryption.
4. **clevis with tpm:**It can be used in place of systemd-cryptenroll. May be used with zfs native encryption. Though I’m not sure if it uses parameter encryption (correct me).
5. **unencrypted keyfile on usb:**Not sure about zfs, but you can use keyfile on a usb drive to decrypt luks containers.

---

NOTE: I’m not a forensic/security expert. I listed a brief overview of methods I could think of to keep user’s files encrypted while providing single password till login.

flork OP , 3 months ago

Auto decrypt with TPM sounds fine to me but I have no idea what TPM is as this is my first PC with it.

Thanks for the great response though I’ll look into these

unhinge , 3 months ago

I have no idea what TPM is

Read Skull giver’s reply or look it up.

---

Re-reading your post, I take you want to avoid typing long and tedious password? And that’s why you want to auto-decrypt?

1. (Recommended) You could use strong memorable passwords that are not difficult to type and enable autologin. Related xfcd comic:

https://imgs.xkcd.com/comics/password_strength.png

2. systemd-cryptenroll: For TPM usage, I highly recommend using secure boot. Though not sure if you can easily do that. A less secure alternative using systemd-cryptenroll would be use tpm2-pin and bind key to no pcrs (discouraged). But then you’ll have to use luks2 for encryption. Notice from man systemd-cryptenroll regarding tpm2-pin:

Note that incorrect PIN entry when unlocking increments the TPM dictionary attack lockout mechanism, and may lock out users for a prolonged time, depending on its configuration. The lockout mechanism is a global property of the TPM, systemd-cryptenroll does not control or configure the lockout mechanism. You may use tpm2-tss tools to inspect or configure the dictionary attack lockout, with tpm2_getcap(1) and tpm2_dictionarylockout(1) commands, respectively Also tpm2-pin is not disk encryption password and short alphanumeric password needed so tpm decrypts the device; so encryption password should be secured in a safe place. Also check if your distro supports systemd-cryptenroll.

3. usb drive: read previous comment
4. clevis: It probably isn’t as simple as systemd-cryptenroll but I guess you can use zfs and combine that with tpm2-pin if not using secure boot (discouraged).

---

You’ll have to make a compromise somewhere between security and convenience. Even if you use pam mount, you’ll have to enter the password, biometrics won’t do.

---

Edit: remove unnecessary user tag and add img uri

axzxc1236 , 3 months ago

systemd-homed can also do it.

unhinge , 3 months ago

oh, I forgot. Thanks for mentioning that :)

Eideen , 3 months ago

Yes there is TPM for full disk encryption.

gist.github.com/…/02102b3af3acfdaf9a5a2164bea7c3d…

Do I had problem making swap partition work. As lockdown mode is triggered.

man7.org/linux/…/kernel_lockdown.7.html

I current only encrypted home.

hperrin , 3 months ago

If it’s LUKS encryption, yeah, you can unlock it with the TPM. I forget how. Basically you add another key to LUKS that comes from the TPM. There are guides online.

Saff , 3 months ago

Instead of encrypting the entire drive, encrypt the home folder. That way it’s unlocked when you sign in.

gofsckyourself , 4 months ago

EDIT: Based on the responses I have to assume some of you guys live in windowless underground bunkers sealed off with concrete. Normal people don’t need perfect encryption they just want to add an extra hurdle or two for the crackhead who steals the PC. I assumed Linux had a system similar to what Windows or MacOS has been doing for a decade but I am apparently wrong.

I am sorry you were treated like this and downvoted for just asking for help without being a jerk at all.

BCsven , 4 months ago

I’m not familiar with zfs, but on an encrypred drive I got around this using crypt tab If i recall. you edit a crypt file, ftab points to it or something…sorry it was 7 years ago. But there is a way to make the OS grab the decryption password. You trade convienience for security obviously

ryannathans , 4 months ago

Linux, booting on zfs? Out of the box? What magic is this

Bisexual_Cookie , 4 months ago

as others have pointed out, you can use systemd-cryptenroll to add your tpm as a way to unlock the disk at boot, security of this should be fine if secureboot is enabled (for this to work it will need to be anyway) and a password is set for the uefi. See the archwiki entry for setup info (command is as simple as systemd-cryptenroll --tpm2-device=auto /dev/rootdrive, also the device needs to be encrypted with luks2, no idea if zorin uses that by default but you can convert luks1 to luks2 {backup ur headers first!})

Pika , 4 months ago

I use partial disk encryption myself using luksCrypt but without the auto unlock, your comment on the crackhead stealing it doesn’t help you in that scenario, you 1000% can tie a partition encryption or home directory encryption and have it automatically decrypt using either a USB drive or TPM but, as is with Windows and MacOS if your PC gets stolen, the drive will be unlocked automatically regardless if it is you, it’s only if the drive gets stolen on it’s own that an auto unlock drive would help you, but it’s not likely that only that will happen. At that point it might not be worth encrypting as a whole if that was your main concern.

toastal , 4 months ago (edited 3 months ago)

My previous laptop got struck by lightning last month. Because I had a passphrase & not TPM for unlocking, I stripped the NVMe from the board, put it in an enclosure, entered the passphrase, & now I can access all my data for recovering from that situation. Had I tied it to TPM, I wouldn’t be able to recover my data (ZFS & Bcachefs only have one ‘slot’ for passphrases so no secondary, backup key)—while, as you pointed out, a thief can just boot the laptop they stole to get the data. Point being: passphrases offer advantages while being dead simple.

kugmo , 3 months ago

shame it got struck by lightning, in another world you would’ve won the lottery with those chances

Max_P , 4 months ago

You ended up with full disk encryption. For most people, it’s the simple option, everything is encrypted. That means the OS can’t start without the key, because you’re the only holder of the key. It’s both dead simple, and pretty bulletproof since there’s no way to access the system without the password. But as you said, not everyone wants that.

What you’re asking for is an encrypted home directory. It’s not that Linux can’t do it, it’s just not what you got. Depending on the use case you can either use TPM to unlock the root partition to boot, or not encrypt the system itself. Then when you log in, it decrypts a separate partition (or use ZFS native encryption, or use fscrypt if your filesystem supports it, or use an overlay filesystem like go-cryptfs).

So it’s not that Linux doesn’t support your use case but rather your distro doesn’t offer it as an installation option. From there you either configure it yourself (ArchWiki is great regardless of distro), or seek out a distro that does.

Linux is not an operating system, it’s just the kernel. What makes it an OS is what distros build on top of it. Linux alone is not that useful, hence the basis of the GNU+Linux memes: it’s Linux, plus a lot of GNU tools to make it do useful things, plus a desktop environment and a whole bunch of other libraries and applications, plus the distro’s touch tying it all together in a mostly cohesive experience.

Miaou , 4 months ago

But I’m confused, the decryption of the home directory needs the owners secret to be entered at some point? I don’t see how this solves Op’s problem (which I also don’t understand, you want encryption, you need to decrypt stuff at some point)

Max_P , 4 months ago

Yes, the question is when and how.

You can enter it in the bootloader as a prerequisite to boot anything. You can also enter it at the display manager / login screen, which is a little further down the boot process.

My desktop for example can boot up to the login screen and perform its NAS and routing duties all on its own. But my user and all of my user’s data is still locked at that point: the computer is usable by guests and everything but even if you manage to throw a root exploit at it, my data is completely safe. Only when I log in, either locally or remotely, my password will go through PAM which will run a script that uses my password to unlock my home directory and mount it as I’m logging in.

What changes is what is covered by the encryption, and when the key is required. My root is auto unlocked via TPM, my home is unlocked on demand as I log in to my user account.

OP’s problem is they have full disk encryption so they need the password to boot up Linux at all, but they also get a second password prompt to log in when it reaches the display manager, even if it’s the same password. The solution is either they configure it to auto login since you need a password for the whole OS anyway, or they automate the unlocking of the root partition and use their login password to further decrypt the home directory (or rely entirely on the system being secure that the user isn’t encrypted further and it’s just a password prompt, which is what I think Windows does).

Miaou , 3 months ago

I see, thanks for the explanation. After asking you I kept on reading the comments and understood how tpm helps with the auto decryption.

I still think full disk encryption with auto login is more than enough, at least that’s what I have, and as you can tell anyone can set that up easily.

skullgiver , 4 months ago (edited 3 months ago)

deleted_by_author

Pantherina , 3 months ago

Fprintd is the only biometrics I know and hardware support is very limited. There are no easily accessible usb fingerprint readers either, which would allow easy testing and recommending.

I think if we could reverse engineer some kensington / etc. fprint sensor that would be huge.