From Wikipedia, the free encyclopedia
Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).
Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.
Community icon by Alpár-Etele Méder, licensed under CC BY 3.0
Thats how encryption works. Encryption with TPM protects against removing the drive and reading somewhere else, so I suppose it makes sense for most people.
Linux Distros have this option, Ubuntu has it now I think, but on the others its often manual setup.
Just search for "cryptsetup change to tpm"
Not sure if this works with drive encryption since it comes before the OS, but could this maybe be done with a YubiKey or something like that?
That way, you can plug it in and not worry about typing the password every time, but then it's also secure if someone takes your PC? As long as you remove the key when it's off of course.
Fedora has a good write up using Clevis, I am not sure how well Ubuntu supports it as they traditionally have been against using the TPM for security reasons. https://fedoramagazine.org/automatically-decrypt-your-disk-using-tpm2/
systemd-cryptenroll can do it very quick and easy, it’s literally about two minutes work, but Ubuntu patches out the TPM support.
Ubuntu will soon have TPM-backed full disk encryption as a standard option in the installer. Their implementation is designed to defeat most of the security implications that the naysayers bring up, except the login process is still a potential vulnerability. What you are asking about is not so far fetched as some of the comments would lead you to believe: https://ubuntu.com/blog/tpm-backed-full-disk-encryption-is-coming-to-ubuntu
You dont want to do that.
What's the point of encrypting something without a good passphrase? It defeats the whole purpose.
If you want to do away with any protection you have with opting in to a security measure, like typing in a password, why don't you just reinstall and not select the encryption option?
Not requiring a password, or automatically entering a password to decrypt the filesystem, is essentially the same as not having encryption.
Decide which you want: Security or convenience. You cannot have both.
There used to be exactly what you are looking for. Encfs, and later ecryptfs could encrypt just the data in your home folder.
It was a checkbox in ubuntu installer, just like the full disk encryption today. The key was protected by the standard user password.
Unfortunately, it was deprecated due to discovered security weaknesses, and I'm not aware of any viable replacement.
Systemd-homed does the same. But it is quite a huge change in the system, see this thread on the Fedora Discuss
This reply isn't going to be helpful to OP, but thought I might add context for others passing by.
I'm using Arch Linux with LUKS encryption and gdm. As long as my user's password is the same as the LUKS password, I only ever type my password in once.
Just saying that a MacOS-like convenience is definitely possible on Linux.
Fascinating, you don't have automatic login enabled? And I assume this is at the pre-login prompt?
I think people are misunderstanding the whole point of drive encryption. It's so that if the drive is stolen or lost, you don't have to worry about it as much. I personally don't see any benefit in doing this if I have to enter a password every time I plug the damn thing in. If you're concerned about somebody stealing your laptop or desktop, the disk-encryption should be the least of your worries.
To the OC; if you happen to use GNOME, then check out the settings in the DISKS app. It has auto-unlock options in the per-drive settings. I long ago configured it so my USB is auto-unlocked upon being plugged in. Though after several system resets and such whatever I did to do that seems to no longer be visible in the GUI, I know that's how I set it up in the first place.
To the OC; if you happen to use GNOME, then check out the settings in the DISKS app. It has auto-unlock options in the per-drive settings.
Thanks so much!
EDIT: This didn't work
I do not know the answer, but this got me thinking: would it be easier to set up a single login for both session and decryption if /home was on a separate partition and only /home was encrypted?
as others have pointed out, you can use systemd-cryptenroll to add your tpm as a way to unlock the disk at boot, security of this should be fine if secureboot is enabled (for this to work it will need to be anyway) and a password is set for the uefi. See the archwiki entry for setup info (command is as simple as systemd-cryptenroll --tpm2-device=auto /dev/rootdrive, also the device needs to be encrypted with luks2, no idea if zorin uses that by default but you can convert luks1 to luks2 {backup ur headers first!})
I'm not familiar with zfs, but on an encrypred drive I got around this using crypt tab If i recall. you edit a crypt file, ftab points to it or something...sorry it was 7 years ago. But there is a way to make the OS grab the decryption password. You trade convienience for security obviously
This is done via storing the unlock key in USB drive and need the USB plugged to auto unlock, see if it helps.