I recently switched to Linux (Zorin OS) and I selected “use ZFS and encrypt” during installation. Now before I can log in it asks me “please unlock disk keystore-rpool” and I have to type in the encryption password it before I’m able to get to the login screen.
Is there a way to do this automatically like with Windows or MacOS? Zorin has biometric login which is nice but this defeats the purpose especially because the encryption password is long and tedious to type in.
Also might TPM have anything to do with this?
EDIT: Based on the responses I have to assume some of you guys live in windowless underground bunkers sealed off with concrete because door locks “aren’t secure against battering rams”. Normal people don’t need perfect encryption they just want to add an extra hurdle or two for the crackhead who steals the PC. I assumed Linux had a system similar to what Windows or MacOS has been doing for a decade but I am apparently wrong.
Afaik you can’t. Disk encryption requires entering the password every time and it asks for it BEFORE the OS is started so you can’t use biometric login either
That’s not technically true as enabling bitlocker on windows and filevault on Mac don’t require two different passwords.
Mac will ask you to “log in” very early in the boot process to decrypt the disk, I assume it keeps the drive key encrypted with your password somewhere.
That’s just not true I have two macs with it enabled on both and it requires a single “normal” password
That’s likely because your Macs are using the TPM. Does your Linux machine have a TPM, and are you using it?
I don’t think so, they are both intel macs over 10 years old and Macs didn’t start adding TPM until 2017. On Mac, when you check the box to encrypt the drive during install you’re prompted for an encryption password which you never need to use again unless you remove the drive and put it into another mac (or in my case add a second hard drive and use the original as “extra” storage).
Macs had TPMs before Windows PCs, IIRC.
Kinda curious as to the point of drive encryption if you just want it to automatically unlock on boot.
Encryption makes it more difficult to copy data from the drive. Windows and MacOS can manage to encrypt drives without requiring two different passwords, I mistakenly assumed Linux could too.
If you’re having it automatically unlock the drive at boot, it kind of defeats the purpose. If someone steals your tower, they can boot it and copy the unencrypted contents since it automatically unlocks.
OP isn’t asking for it to decrypt automatically. OP is asking for the entering the decryption password to also log you in. That way you only have to type the password once, instead of twice.
GDM has an autologin feature, OP should use it.
I dont think you can. Can you read SSD storage while that is running? The drive needs to be decrypted using the TPM, and that should only work when its plugged in.
How… How would they get the drive? Would n that need access to your computer? I imagine at that point they could turn it on first and copy your data that way, no?
Disk encryptions entire point is securing against physical access
There used to be exactly what you are looking for. Encfs, and later ecryptfs could encrypt just the data in your home folder.
It was a checkbox in ubuntu installer, just like the full disk encryption today. The key was protected by the standard user password.
Unfortunately, it was deprecated due to discovered security weaknesses, and I’m not aware of any viable replacement.
Systemd-homed does the same. But it is quite a huge change in the system, see this thread on the Fedora Discuss
Thats how encryption works. Encryption with TPM protects against removing the drive and reading somewhere else, so I suppose it makes sense for most people.
Linux Distros have this option, Ubuntu has it now I think, but on the others its often manual setup.
Just search for “cryptsetup change to tpm”
https://wiki.archlinux.org/title/Trusted_Platform_Module#Data-at-rest_encryption_with_LUKS
Thats what you want i think
