I recently switched to Linux (Zorin OS) and I selected “use ZFS and encrypt” during installation. Now before I can log in it asks me “please unlock disk keystore-rpool” and I have to type in the encryption password it before I’m able to get to the login screen.

Is there a way to do this automatically like with Windows or MacOS? Zorin has biometric login which is nice but this defeats the purpose especially because the encryption password is long and tedious to type in.

Also might TPM have anything to do with this?

EDIT: Based on the responses I have to assume some of you guys live in windowless underground bunkers sealed off with concrete because door locks “aren’t secure against battering rams”. Normal people don’t need perfect encryption they just want to add an extra hurdle or two for the crackhead who steals the PC. I assumed Linux had a system similar to what Windows or MacOS has been doing for a decade but I am apparently wrong.

  • redtree3@beehaw.org
    link
    fedilink
    arrow-up
    13
    ·
    9 months ago

    I’m also a linux noob, but I thought having to unlock the encryption before getting to the actual account was part of the point. If the encryption is always already unlocked it’s easier to break in.

    • JediwanOP
      link
      fedilink
      arrow-up
      4
      arrow-down
      1
      ·
      9 months ago

      Then how come Windows and MacOS don’t require two different PWs?

        • JediwanOP
          link
          fedilink
          arrow-up
          4
          arrow-down
          1
          ·
          9 months ago

          Yeah I don’t need a silver bullet I’m not storing highly sensitive data, I just mistakenly assumed this would be easier.

          • umami_wasabi@lemmy.ml
            link
            fedilink
            arrow-up
            2
            ·
            9 months ago

            Great to hear. TPM is totally usable if your threat model can tolerate the risk. Sadly Linux is a bit lacking support for TPM in FDE. You can try the Nitrokey with GPG method without pin I wrote in the other thread if you hit the wall. Good luck!

            Here’s a guide if you want FDE with TPM: https://blastrock.github.io/fde-tpm-sb.html

            • Bitrot@lemmy.sdf.org
              link
              fedilink
              English
              arrow-up
              3
              ·
              edit-2
              9 months ago

              Linux works fine with the TPM, systemd even includes it as a feature (although Ubuntu patches it out, Fedora does not). Takes two commands to enable it, although you can get very into the weeds like that guide does if you are concerned about real bad actors instead of common thieves.

                • Bitrot@lemmy.sdf.org
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  9 months ago

                  The decision had to do with not having unified kernel images or something, essentially the decision that it couldn’t be done securely enough so they didn’t allow it at all even if you understand the risks. I don’t agree with the philosophy.

                  The next LTS should have official support in the installer (experimental in 23.10), and with signed binaries that will increase security substantially. Unfortunately it depends on snap.

      • acockworkorange@mander.xyz
        link
        fedilink
        arrow-up
        2
        arrow-down
        2
        ·
        9 months ago

        You keep bringing that up. Those are different systems with different approaches to security. You can compare them to death and back and it won’t bring your system to where you want it.

        People have come to you with suggestions to achieve what you want and explained the consequences. Try that instead.