Encrypted root with single password prompt

I have a LUKS setup on my laptop. Grub runs the bootloader from GPT and then initrd asks me for the decryption password. Then Gnome loads and I need to log in.

I’d like to have a setup similar to windows and macos where the disk is encrypted and your password is used both to decrypt the disk and to log you in.

I wonder if that’s achievable? I know that the loginwindow code in OS X was loathed by their developers and they didn’t want to make any changes to it, so I assume that an early GUI with credentials capture is a somewhat hard problem.

I also wonder about how to implement the login, perhaps something akin to ssh-agent with a PAM plugin allowing a single login shortly after decryption?

I have a TPM module too, not sure if that would be useful here.

2 Likes

I enabled auto-logon in the display manager, because if someone can unlock my LUKS container there’s not much the session manager can do to prevent unauthorized access.

2 Likes

This blog post covers the current state of the art in Linux world, and why it isn’t really possible to do exactly what those OSes do: Authenticated Boot and Disk Encryption on Linux

It also features a proposal for how we can get there, and there were calls to implement it in NixOS when that post surfaced. You might want to track sign bootloader to make it compatible with UEFI secure boot? · Issue #42127 · NixOS/nixpkgs · GitHub.

@emmanuelrosa’s suggestion is the best interim, but don’t be tempted to not set a password/have no lock screen, since that makes your system susceptible to run-time attacks.

1 Like

One way of achieving that is to have the disk unencrypted (or encrypted with keys in TPM) and then encrypt the actually sensitive data (your home directory) with a separate key (your user login).

TPM decryption isn’t a think in NixOS yet AFAICT and kinda requires a verified boot to be truly effective (only really protects against a stolen disk without; a stolen machine would still expose system data).

Home directory encryption with user login is a thing systemd-homed implements but it’s also not implemented in NixOS yet: systemd-homed support · Issue #91243 · NixOS/nixpkgs · GitHub

1 Like
Hosted by Flying Circus.