From Wikipedia, the free encyclopedia
Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).
Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.
Community icon by Alpár-Etele Méder, licensed under CC BY 3.0
This reply isn't going to be helpful to OP, but thought I might add context for others passing by.
I'm using Arch Linux with LUKS encryption and gdm. As long as my user's password is the same as the LUKS password, I only ever type my password in once.
Just saying that a MacOS-like convenience is definitely possible on Linux.
Fascinating, you don't have automatic login enabled? And I assume this is at the pre-login prompt?
Oof - forgot to mention that I do have autologin configured on gdm 😀
user's password can be totally different from luks password if you're using autologin. You can keep it same but that's totally optional. You can login without entering any password at all if not using luks (or using autodecrypt), you can see that in live isos.
Thats how encryption works. Encryption with TPM protects against removing the drive and reading somewhere else, so I suppose it makes sense for most people.
Linux Distros have this option, Ubuntu has it now I think, but on the others its often manual setup.
Just search for "cryptsetup change to tpm"
There used to be exactly what you are looking for. Encfs, and later ecryptfs could encrypt just the data in your home folder.
It was a checkbox in ubuntu installer, just like the full disk encryption today. The key was protected by the standard user password.
Unfortunately, it was deprecated due to discovered security weaknesses, and I'm not aware of any viable replacement.
Systemd-homed does the same. But it is quite a huge change in the system, see this thread on the Fedora Discuss
Looks like it's creating a new volume in a file, but I don't see any type of quota being set upfront. If it scales up dynamically, it looks like a hot candidate. At this point I just hope distro maintainers settle down on something, anything, and give it a long term support.
If you want to do away with any protection you have with opting in to a security measure, like typing in a password, why don't you just reinstall and not select the encryption option?
Not requiring a password, or automatically entering a password to decrypt the filesystem, is essentially the same as not having encryption.
Decide which you want: Security or convenience. You cannot have both.
You dont want to do that.
What's the point of encrypting something without a good passphrase? It defeats the whole purpose.
Assuming you want:
There are several ways to achieve this:
autologin (recommended for single user system): / is encrypted using luks or zfs native encryption and user's home needs to be unencrypted. User's password may be same as encryption password for convenience, though they still are two passwords used for different purposes.
pam mount: / is unencrypted or auto-decrypted and user's home is encrypted independently from / using zfs,luks,fscrypt,etc. In this case, user's login password must be same as user's home encryption password. It's suitable for multi-user system. NOTE: It cannot be used with autologin since user's home needs to be decrypted to log in.
WARNING: For tpm usage, using secure boot is highly recommended to prevent unauthorized user from accessing key stored in tpm.
To prevent auto-decrypt with tpm, tpm-pin can be used (with autologin for requirement #1).
systemd-cryptenroll with/without tpm: As far as I know it can be only used to unlock disk encrypted with luks2. It can be used without tpm with pkcs11-token (e.g. YubiKey) or fido2-device. It also uses parameter encryption while key is unsealed, so safe from key sniffing via communication bus. This is easy if secure boot is enabled and luks2 is used for encryption.
clevis with tpm: It can be used in place of systemd-cryptenroll. May be used with zfs native encryption. Though I'm not sure if it uses parameter encryption (correct me).
unencrypted keyfile on usb: Not sure about zfs, but you can use keyfile on a usb drive to decrypt luks containers.
NOTE: I'm not a forensic/security expert. I listed a brief overview of methods I could think of to keep user's files encrypted while providing single password till login.
Auto decrypt with TPM sounds fine to me but I have no idea what TPM is as this is my first PC with it.
Thanks for the great response though I'll look into these
I have no idea what TPM is
Read Skull giver's reply or look it up.
Re-reading your post, I take you want to avoid typing long and tedious password? And that's why you want to auto-decrypt?
man systemd-cryptenroll regarding tpm2-pin:Note that incorrect PIN entry when unlocking increments the TPM dictionary attack lockout mechanism, and may lock out users for a prolonged time, depending on its configuration. The lockout mechanism is a global property of the TPM, systemd-cryptenroll does not control or configure the lockout mechanism. You may use tpm2-tss tools to inspect or configure the dictionary attack lockout, with tpm2_getcap(1) and tpm2_dictionarylockout(1) commands, respectively Also tpm2-pin is not disk encryption password and short alphanumeric password needed so tpm decrypts the device; so encryption password should be secured in a safe place. Also check if your distro supports systemd-cryptenroll.
usb drive: read previous comment
clevis: It probably isn't as simple as systemd-cryptenroll but I guess you can use zfs and combine that with tpm2-pin if not using secure boot (discouraged).
You'll have to make a compromise somewhere between security and convenience. Even if you use pam mount, you'll have to enter the password, biometrics won't do.
Edit: remove unnecessary user tag and add img uri
Yes there is TPM for full disk encryption.
https://gist.github.com/orhun/02102b3af3acfdaf9a5a2164bea7c3d6#using-tpm-20
Do I had problem making swap partition work. As lockdown mode is triggered.
https://man7.org/linux/man-pages/man7/kernel_lockdown.7.html
I current only encrypted home.
If it’s LUKS encryption, yeah, you can unlock it with the TPM. I forget how. Basically you add another key to LUKS that comes from the TPM. There are guides online.
Instead of encrypting the entire drive, encrypt the home folder. That way it’s unlocked when you sign in.
EDIT: Based on the responses I have to assume some of you guys live in windowless underground bunkers sealed off with concrete. Normal people don't need perfect encryption they just want to add an extra hurdle or two for the crackhead who steals the PC. I assumed Linux had a system similar to what Windows or MacOS has been doing for a decade but I am apparently wrong.
I am sorry you were treated like this and downvoted for just asking for help without being a jerk at all.
I'm not familiar with zfs, but on an encrypred drive I got around this using crypt tab If i recall. you edit a crypt file, ftab points to it or something...sorry it was 7 years ago. But there is a way to make the OS grab the decryption password. You trade convienience for security obviously
Linux, booting on zfs? Out of the box? What magic is this
as others have pointed out, you can use systemd-cryptenroll to add your tpm as a way to unlock the disk at boot, security of this should be fine if secureboot is enabled (for this to work it will need to be anyway) and a password is set for the uefi. See the archwiki entry for setup info (command is as simple as systemd-cryptenroll --tpm2-device=auto /dev/rootdrive, also the device needs to be encrypted with luks2, no idea if zorin uses that by default but you can convert luks1 to luks2 {backup ur headers first!})
I use partial disk encryption myself using luksCrypt but without the auto unlock, your comment on the crackhead stealing it doesn't help you in that scenario, you 1000% can tie a partition encryption or home directory encryption and have it automatically decrypt using either a USB drive or TPM but, as is with Windows and MacOS if your PC gets stolen, the drive will be unlocked automatically regardless if it is you, it's only if the drive gets stolen on it's own that an auto unlock drive would help you, but it's not likely that only that will happen. At that point it might not be worth encrypting as a whole if that was your main concern.
My previous laptop got struck by lightning last month. Because I had a passphrase & not TPM for unlocking, I stripped the NVMe from the board, put it in an enclosure, entered the passphrase, & now I can access all my data for recovering from that situation. Had I tied it to TPM, I wouldn’t be able to recover my data (ZFS & Bcachefs only have one ‘slot’ for passphrases so no secondary, backup key)—while, as you pointed out, a thief can just boot the laptop they stole to get the data. Point being: passphrases offer advantages while being dead simple.
shame it got struck by lightning, in another world you would've won the lottery with those chances