this post was submitted on 29 Apr 2024
25 points (96.3% liked)

Linux

48185 readers
1143 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
 

Hello everyone!

I daily drive a Nobara install with my main drive being an LUKS encrypted M.2 drive. Every time I boot my computer I get presented with the password prompt to unlock the drive and afterwards get prompted with my login manager to login.

Is there any way to combine these steps into a single prompt? It is starting to get a bit annoying having two steps every time I boot.

top 20 comments
sorted by: hot top controversial new old
[–] [email protected] 1 points 6 months ago

Another approach entirely is to use pam_mount(8) which can automatically mount a disc on login. I use it to mount /home/$USER (obviously this couldn't be used to mount the root fs !!)

[–] [email protected] 0 points 6 months ago* (last edited 6 months ago)

On NixOS I did this:

services.displayManager.autoLogin = {
	enable = true;
	user = "kevincox";
};

# Avoid setting up a keyring every time I do a non-auto login.
# https://gitlab.gnome.org/GNOME/seahorse/-/issues/159
security.pam.services.login.enableGnomeKeyring = lib.mkForce false; 
[–] [email protected] 2 points 6 months ago (1 children)

I asked this a while back and was told I am an idiot for asking and it is astonishing I am able to even use a computer, which I clearly am not responsible enough to use.

Just kidding (not really) but consensus was "not very easily". I tried a few methods which were complicated and didn't manage to work. Yes, Windows and MacOS do this seamlessly, but nobody has yet taken the time to add a similar functionality to Linux.

[–] [email protected] 2 points 6 months ago (1 children)

What OP is asking is trivial to setup on linux though. Just setup autologin on your login manager which is probably a single checkbox.

Your issue is different because you want biometric login. LUKS encryption only supports passwords, keyfiles and hardware keys (they are kinda goofy though). So you have to use the login manager which supports biometrics. But if you want full disk encryption, you first need to decrypt the hard drive. This can be done by storing the decryption key in the TPM part of your processor. That obviously means that someone with electron microscope could steal your data if they stole your computer. But if you don't care about that, it's a solution. On MacOS and and Windows it works nicely but on linux not so much. Ubuntu has TMP based encryption but it's currently experimental.

Alternative solution is to use Yubikey Bio (hardware key with fingerprint scanner) with LUKS but hardware keys are kinda goofy to setup.

Another is to not use Full disk encryption. You can just encrypt your home folder. Downside are that your cannot use hibernation and less robustness. For example once I accidentally typed my root password to the root shell and it therefore got written to /root/.bash_history which was not encrypted. (it's probably best to symlink it to /dev/null)

[–] [email protected] 1 points 6 months ago (1 children)

These are all great, but they are all workarounds, not solutions.

[–] [email protected] 1 points 6 months ago

What do you mean? The Ubuntu's TMP based encryption is the solution, it's just not stable yet.

[–] [email protected] 4 points 6 months ago

I tried to do this a while ago with a GNOME system, setting GDM to automatically log me in, but I ended up always getting prompted for my password from gnome-keyring shortly after logging in which seemed to defeat the point. If you use GNOME, you might want to look at ArchWiki's gnome-keyring page which describes a couple solutions to this problem (under the PAM section) which should be applicable on any systemd distro.

[–] [email protected] 6 points 6 months ago (1 children)

Don't automatically unencrypt. Auto login is fine though, but you'll need to search for how to do it in your display manager. For example in sddm. If you have multiple users, use passwordless login instead.

[–] [email protected] 5 points 6 months ago

No, auto-unencrypting sounds like it would defeat the entire point of an encrypted drive to begin with. I'm only using auto login.

[–] [email protected] 6 points 6 months ago* (last edited 6 months ago) (2 children)

There is a way to place the secret file (corresponding to the password) on a dedicated USB stick and have a script attempt to Mount it at boot to unlock the partition. If the USB stick is not found, it will revert to the password prompt. Perhaps this is the best of both?

Make sure not to leave the USB stick plugged in, but rather only take it and and plug it in to boot then safely store it once booted, otherwise you are probably defeating the purpose of having an encrypted partition to begin with.

I'll add a link to read more about it shortly.

Edit: here is one example to set it up (including to auto-decrypt ZFS) https://www.youtube.com/watch?v=7xOLxCwdi-I

[–] [email protected] 1 points 6 months ago

I do this, along with pamusb, so I don't need a password for sudo etc. (which allows a longer more secure password than I might otherwise use). Depending on the threat model, I think it's fine to just leave it in. One day I'll get it to shutdown --now on ripping out the key drive without dismounting first, sort of a break glass in emergency thing. Same thing can be achieved with pulling the key and holding the power button though (even if it's a bit rude to the filesystem)

[–] [email protected] 1 points 6 months ago

This is a unique and pretty cool solution. I might look into it if I have issues with auto-login 👍

[–] [email protected] 6 points 6 months ago

Mildly secure but you can put the password in TPM2 with this tool https://github.com/timchen119/tpm2-initramfs-tool

[–] [email protected] 5 points 6 months ago

I disabled the second login prompt on my KDE archlinux, since the LUKS one already pretty much authenticates me to my Laptop.

I have no clue which desktop environmen and session manager Nobara uses, but you can probably disable the login password somewhere in the settings.

[–] [email protected] 12 points 6 months ago (1 children)
[–] [email protected] 4 points 6 months ago (1 children)

Thank you very much. The DM setting where shuffled a bit in Plasma 6, but I managed to find it under SDDM > Behaviour.

[–] [email protected] 2 points 6 months ago* (last edited 6 months ago) (2 children)

Be aware that kwallet will require you to enter your password if you auto-login. Kwallet usually saves your passwords for wifi etc. That's why auto-login with KDE doesn't make much of a difference in most use cases

[–] [email protected] 2 points 6 months ago

Can you configure KWallet with no password? Often you can do something like set an empty password and it will auto-decrypt with no prompt.

This may be undesirable as apps running in your user can access what is in KWallet but honestly this is probably the case anyways. If you are running unsandboxed untrusted applications you have already lost.

[–] [email protected] 1 points 6 months ago* (last edited 6 months ago) (1 children)

This is fine for my use case. I don run wifi on my gaming rig but I guess I'll see if any other things prompt me for password after logging in next time.

Edit: Nope, I have no clue what is even possibly stored in Kwallet, if anything, but it still pops up and requests password. Ironically i went from typing my password 2 times to 3 times by enabling auto-login. I know have to unlock the keyring once I login, and then unlock Kwallet once I try to launch Discord. We love it.

[–] [email protected] 2 points 6 months ago

It's fairly common for apps to save login information in Kwallet on your keyring, so anytime those credentials on your keyring need to be accessed (like automatically logging into Discord when it starts), you will need to unlock your keyring. It's generally easier to just log into your profile with a password, as Kwallet won't need to get you to unlock it separately.