I recently switched to Linux (Zorin OS) and I selected “use ZFS and encrypt” during installation. Now before I can log in it asks me “please unlock disk keystore-rpool” and I have to type in the encryption password it before I’m able to get to the login screen.

Is there a way to do this automatically like with Windows or MacOS? Zorin has biometric login which is nice but this defeats the purpose especially because the encryption password is long and tedious to type in.

Also might TPM have anything to do with this?

EDIT: Based on the responses I have to assume some of you guys live in windowless underground bunkers sealed off with concrete because door locks “aren’t secure against battering rams”. Normal people don’t need perfect encryption they just want to add an extra hurdle or two for the crackhead who steals the PC. I assumed Linux had a system similar to what Windows or MacOS has been doing for a decade but I am apparently wrong.

  • @[email protected]
    391 year ago

    OP, just change your encryption key to whatever you have your password as and set your login to auto login. This will give you the experience you desire as it’ll decrypt the disk with your password and log you in automatically once it’s decrypted, but if you lock the system (close the lid. Screen lock. Etc) you’ll still get a login screen as normal. (Just keep in mind they’re technically two separate passwords and will unfortunately need to be changed separately if you do change your password).

    • @[email protected]
      41 year ago

      What I do for a little extra security is that my encryption password is just a longer variation of my normal password. So of I have an encrypted password sentence like “correct battery staple horse” my login password would just be “correct battery”. It’s a simple way to add a little extra and a good reminder everytime I turn on my computer that they are in fact two different passwords and protect me differently.

  • @[email protected]
    61 year ago

    This reply isn’t going to be helpful to OP, but thought I might add context for others passing by.

    I’m using Arch Linux with LUKS encryption and gdm. As long as my user’s password is the same as the LUKS password, I only ever type my password in once.

    Just saying that a MacOS-like convenience is definitely possible on Linux.

    • JediwanOP
      21 year ago

      Fascinating, you don’t have automatic login enabled? And I assume this is at the pre-login prompt?

        • unhinge
          31 year ago

          user’s password can be totally different from luks password if you’re using autologin. You can keep it same but that’s totally optional. You can login without entering any password at all if not using luks (or using autodecrypt), you can see that in live isos.

  • @[email protected]
    21 year ago

    I do not know the answer, but this got me thinking: would it be easier to set up a single login for both session and decryption if /home was on a separate partition and only /home was encrypted?

  • @[email protected]
    71 year ago

    If it’s LUKS encryption, yeah, you can unlock it with the TPM. I forget how. Basically you add another key to LUKS that comes from the TPM. There are guides online.

  • Random DentEnglish
    41 year ago

    Not sure if this works with drive encryption since it comes before the OS, but could this maybe be done with a YubiKey or something like that?

    That way, you can plug it in and not worry about typing the password every time, but then it’s also secure if someone takes your PC? As long as you remove the key when it’s off of course.

  • @[email protected]
    41 year ago

    My mom brings me and my anime mousepad with boobs waifu bagel bites, what does your mom even do? Also, you can do autologin, so you only enter a password once to decrypt on boot.

  • @[email protected]
    91 year ago

    If you want to do away with any protection you have with opting in to a security measure, like typing in a password, why don’t you just reinstall and not select the encryption option?

    Not requiring a password, or automatically entering a password to decrypt the filesystem, is essentially the same as not having encryption.

    Decide which you want: Security or convenience. You cannot have both.

  • astrsk
    231 year ago

    I was kinda annoyed at double password login when I setup my system too. So what I did was just enable automatic login for my user since I’m the only one. I just treat my disk password as my login form so I just enter one password. I still have a user password for things like sudo and other permissions handling when I’m logged in but getting into a new session is automatic on startup so it doesn’t annoy me anymore. Would that work for you?

    • u/lukmly013 💾 (lemmy.sdf.org)English
      11 year ago

      I was kinda annoyed at double password login

      Same. Not at all interesting.
      Boot up password -> ATA DriveLock password -> LUKS FDE password -> Login password, that’s where it’s at.
      /j

      It’s just funny situation if you forget the DriveLock master password. Yes, it has 2 passwords. The master password is needed to remove the user password which is used for unlocking. If you forget the master password, you can’t ever reset the user password. If you forget both, you upgraded the drive to a paperweight. Additionally, some BIOSes may do hidden key derivation, store the master password in TPM, or do some other crap, so it’s generally not recommended unless you actually need it.
      This can also be set in hdparm.
      Also, I have no idea what way there is for NVME drives, as this uses ATA commands. It’s also good to note that some drives use this for hardware-based encryption, and some don’t. So it brings varying security.

      • Helix 🧬English
        21 year ago

        If you forget both, you upgraded the drive to a paperweight.

        That’s why I have a password manager on my phone.

    • JediwanOP
      21 year ago

      I think this is what I might have to do as I really don’t want to go back to Windows. I don’t suppose if you know if there is a way to lock the drive upon logging out? Or do I need to do a full shutdown every time.

      • @[email protected]
        31 year ago

        IIRC and I may be wrong here the drive stays encrypted in sleep. Decryption is done in real time via your CPU. However the encryption key is stored in unencrypted RAM. Which is why the other comment suggests encrypting swap and hibernating, this writes RAM to disk.

      • nomad
        41 year ago

        Move your swap to encrypted part of your drive and suspend to disk. ;)

      • astrsk
        31 year ago

        I’m not sure LUKs can lock a drive that’s booted already since it’s not a RAM session like a live CD is and relies on the decrypted files to operate. This is why the encryption key is prompted from your boot manager prior to actually getting the system running. That said, I lock my computer all the time and just rely on the normal user password to get back in.

  • @[email protected]
    51 year ago

    The common way to do it with LUKS2 and TPM as detailed on the Arch wiki. Not sure if that’ll apply at all to ZFS and Zorin though

    It is less secure though. What I do is set my computer to log in on start and I set up fingerprint auth. So I only need to login once on startup with the drive decryption.

    Here’s a reddit post on using clevis, TPM, and ZFS to decrypt.

    You should also know that if you’re mobo dies so does your data.

  • @[email protected]
    61 year ago

    Thats how encryption works. Encryption with TPM protects against removing the drive and reading somewhere else, so I suppose it makes sense for most people.

    Linux Distros have this option, Ubuntu has it now I think, but on the others its often manual setup.

    Just search for “cryptsetup change to tpm”

    • Kingstrum
      11 year ago

      @flork
      Never set it up, but I think there’s a PAM or systemd bit that allows for this. Something to look for is “headless server startup” or “drive unlock at boot”. There is definitely a solution to this, as I had to forego setting it up on my Mac Mini server because there is no way to do it headless/remote.

      Having to type in the unlock password at boot hasn’t been a big hassle thus far on my ThinkPad running Fedora. Not bothered to setup a Yubikey or other tokens.

  • @[email protected]
    31 year ago

    There used to be exactly what you are looking for. Encfs, and later ecryptfs could encrypt just the data in your home folder.

    It was a checkbox in ubuntu installer, just like the full disk encryption today. The key was protected by the standard user password.

    Unfortunately, it was deprecated due to discovered security weaknesses, and I’m not aware of any viable replacement.

      • @[email protected]English
        11 year ago

        Looks like it’s creating a new volume in a file, but I don’t see any type of quota being set upfront. If it scales up dynamically, it looks like a hot candidate. At this point I just hope distro maintainers settle down on something, anything, and give it a long term support.

  • go $fsck yourself
    371 year ago

    EDIT: Based on the responses I have to assume some of you guys live in windowless underground bunkers sealed off with concrete. Normal people don’t need perfect encryption they just want to add an extra hurdle or two for the crackhead who steals the PC. I assumed Linux had a system similar to what Windows or MacOS has been doing for a decade but I am apparently wrong.

    I am sorry you were treated like this and downvoted for just asking for help without being a jerk at all.