this post was submitted on 24 Feb 2024
90 points (76.8% liked)

Linux

48130 readers
554 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
 

I recently switched to Linux (Zorin OS) and I selected "use ZFS and encrypt" during installation. Now before I can log in it asks me "please unlock disk keystore-rpool" and I have to type in the encryption password it before I'm able to get to the login screen.

Is there a way to do this automatically like with Windows or MacOS? Zorin has biometric login which is nice but this defeats the purpose especially because the encryption password is long and tedious to type in.

Also might TPM have anything to do with this?

EDIT: Based on the responses I have to assume some of you guys live in windowless underground bunkers sealed off with concrete because door locks "aren't secure against battering rams". Normal people don't need perfect encryption they just want to add an extra hurdle or two for the crackhead who steals the PC. I assumed Linux had a system similar to what Windows or MacOS has been doing for a decade but I am apparently wrong.

you are viewing a single comment's thread
view the rest of the comments
[–] redtree3@beehaw.org 13 points 8 months ago (1 children)

I'm also a linux noob, but I thought having to unlock the encryption before getting to the actual account was part of the point. If the encryption is always already unlocked it's easier to break in.

[–] flork@lemy.lol 3 points 8 months ago (2 children)

Then how come Windows and MacOS don't require two different PWs?

[–] umami_wasbi@lemmy.ml 13 points 8 months ago (1 children)

They give up some security by gaining convenience and slightly better UX.

I can't vet Apple's security, but TPM isn't a silver bullet either.

https://hacky.solutions/blog/2024/02/tpm-attack

[–] flork@lemy.lol 3 points 8 months ago (1 children)

Yeah I don't need a silver bullet I'm not storing highly sensitive data, I just mistakenly assumed this would be easier.

[–] umami_wasbi@lemmy.ml 2 points 8 months ago (1 children)

Great to hear. TPM is totally usable if your threat model can tolerate the risk. Sadly Linux is a bit lacking support for TPM in FDE. You can try the Nitrokey with GPG method without pin I wrote in the other thread if you hit the wall. Good luck!

Here's a guide if you want FDE with TPM: https://blastrock.github.io/fde-tpm-sb.html

[–] Bitrot@lemmy.sdf.org 3 points 8 months ago* (last edited 8 months ago) (1 children)

Linux works fine with the TPM, systemd even includes it as a feature (although Ubuntu patches it out, Fedora does not). Takes two commands to enable it, although you can get very into the weeds like that guide does if you are concerned about real bad actors instead of common thieves.

[–] umami_wasbi@lemmy.ml 2 points 8 months ago (1 children)

That I doesn't know Ubuntu patches it out.

[–] Bitrot@lemmy.sdf.org 1 points 8 months ago

The decision had to do with not having unified kernel images or something, essentially the decision that it couldn’t be done securely enough so they didn’t allow it at all even if you understand the risks. I don’t agree with the philosophy.

The next LTS should have official support in the installer (experimental in 23.10), and with signed binaries that will increase security substantially. Unfortunately it depends on snap.

[–] acockworkorange@mander.xyz 0 points 8 months ago

You keep bringing that up. Those are different systems with different approaches to security. You can compare them to death and back and it won't bring your system to where you want it.

People have come to you with suggestions to achieve what you want and explained the consequences. Try that instead.