https://wiki.archlinux.org/title/Trusted_Platform_Module#Data-at-rest_encryption_with_LUKS
Thats what you want i think
this post was submitted on 24 Feb 2024
94 points (76.7% liked)
Linux
48199 readers
1369 users here now
From Wikipedia, the free encyclopedia
Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).
Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.
Rules
- Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
- No misinformation
- No NSFW content
- No hate speech, bigotry, etc
Related Communities
Community icon by Alpár-Etele Méder, licensed under CC BY 3.0
founded 5 years ago
MODERATORS
I use partial disk encryption myself using luksCrypt but without the auto unlock, your comment on the crackhead stealing it doesn't help you in that scenario, you 1000% can tie a partition encryption or home directory encryption and have it automatically decrypt using either a USB drive or TPM but, as is with Windows and MacOS if your PC gets stolen, the drive will be unlocked automatically regardless if it is you, it's only if the drive gets stolen on it's own that an auto unlock drive would help you, but it's not likely that only that will happen. At that point it might not be worth encrypting as a whole if that was your main concern.
My previous laptop got struck by lightning last month. Because I had a passphrase & not TPM for unlocking, I stripped the NVMe from the board, put it in an enclosure, entered the passphrase, & now I can access all my data for recovering from that situation. Had I tied it to TPM, I wouldn’t be able to recover my data (ZFS & Bcachefs only have one ‘slot’ for passphrases so no secondary, backup key)—while, as you pointed out, a thief can just boot the laptop they stole to get the data. Point being: passphrases offer advantages while being dead simple.
shame it got struck by lightning, in another world you would've won the lottery with those chances
Not sure if this works with drive encryption since it comes before the OS, but could this maybe be done with a YubiKey or something like that?
That way, you can plug it in and not worry about typing the password every time, but then it's also secure if someone takes your PC? As long as you remove the key when it's off of course.
load more comments
(1 replies)
There used to be exactly what you are looking for. Encfs, and later ecryptfs could encrypt just the data in your home folder.
It was a checkbox in ubuntu installer, just like the full disk encryption today. The key was protected by the standard user password.
Unfortunately, it was deprecated due to discovered security weaknesses, and I'm not aware of any viable replacement.
Systemd-homed does the same. But it is quite a huge change in the system, see this thread on the Fedora Discuss
Looks like it's creating a new volume in a file, but I don't see any type of quota being set upfront. If it scales up dynamically, it looks like a hot candidate. At this point I just hope distro maintainers settle down on something, anything, and give it a long term support.
Fedora has a good write up using Clevis, I am not sure how well Ubuntu supports it as they traditionally have been against using the TPM for security reasons. https://fedoramagazine.org/automatically-decrypt-your-disk-using-tpm2/
systemd-cryptenroll can do it very quick and easy, it’s literally about two minutes work, but Ubuntu patches out the TPM support.
Ubuntu will soon have TPM-backed full disk encryption as a standard option in the installer. Their implementation is designed to defeat most of the security implications that the naysayers bring up, except the login process is still a potential vulnerability. What you are asking about is not so far fetched as some of the comments would lead you to believe: https://ubuntu.com/blog/tpm-backed-full-disk-encryption-is-coming-to-ubuntu
I do not know the answer, but this got me thinking: would it be easier to set up a single login for both session and decryption if /home was on a separate partition and only /home was encrypted?
I think people are misunderstanding the whole point of drive encryption. It's so that if the drive is stolen or lost, you don't have to worry about it as much. I personally don't see any benefit in doing this if I have to enter a password every time I plug the damn thing in. If you're concerned about somebody stealing your laptop or desktop, the disk-encryption should be the least of your worries.
To the OC; if you happen to use GNOME, then check out the settings in the DISKS app. It has auto-unlock options in the per-drive settings. I long ago configured it so my USB is auto-unlocked upon being plugged in. Though after several system resets and such whatever I did to do that seems to no longer be visible in the GUI, I know that's how I set it up in the first place.
To the OC; if you happen to use GNOME, then check out the settings in the DISKS app. It has auto-unlock options in the per-drive settings.
Thanks so much!
EDIT: This didn't work
load more comments
(1 replies)
load more comments
(2 replies)
I'm not familiar with zfs, but on an encrypred drive I got around this using crypt tab If i recall. you edit a crypt file, ftab points to it or something...sorry it was 7 years ago. But there is a way to make the OS grab the decryption password. You trade convienience for security obviously