I recently switched to Linux (Zorin OS) and I selected “use ZFS and encrypt” during installation. Now before I can log in it asks me “please unlock disk keystore-rpool” and I have to type in the encryption password it before I’m able to get to the login screen.

Is there a way to do this automatically like with Windows or MacOS? Zorin has biometric login which is nice but this defeats the purpose especially because the encryption password is long and tedious to type in.

Also might TPM have anything to do with this?

EDIT: Based on the responses I have to assume some of you guys live in windowless underground bunkers sealed off with concrete because door locks “aren’t secure against battering rams”. Normal people don’t need perfect encryption they just want to add an extra hurdle or two for the crackhead who steals the PC. I assumed Linux had a system similar to what Windows or MacOS has been doing for a decade but I am apparently wrong.

  • Confused_Emus@lemmy.world
    link
    fedilink
    arrow-up
    18
    ·
    8 months ago

    But if you have it set to unlock automatically…? It’s not like the drive is going to know it’s you booting it vs someone else if you’re not having to enter the password.

    Windows and Mac can indeed encrypt drives without two passwords - as long as you don’t set a drive encryption password to be entered at BIOS load before the OS loads, which is what you’ve done.

    • Markaos@lemmy.one
      link
      fedilink
      arrow-up
      14
      ·
      8 months ago

      The idea is to use TPM to store the keys - if you boot into a modified OS, TPM won’t give you the same key so automatic unlock will fail. And protection against somebody just booting the original system and copying data off it is provided by the system login screen.

      Voilà, automatic drive decryption with fingerprint unlock to log into the OS. That’s what Windows does anyway.

      • Confused_Emus@lemmy.world
        link
        fedilink
        arrow-up
        6
        ·
        8 months ago

        Although OPs scenario is if someone steals the tower, in which case it’s not a different TPM. Would only help if the drives were yanked, which honestly I’d probably do rather than try to take the whole tower.

        • Markaos@lemmy.one
          link
          fedilink
          arrow-up
          8
          ·
          8 months ago

          If you boot the computer into the currently installed OS, you will be presented with a login screen and will have to enter the correct password to log in (kernel parameters are part of the checksums, so booting into single-user mode won’t help you, that counts as a modified OS). If you boot a different OS, you won’t get the key off the TPM.

      • Confused_Emus@lemmy.world
        link
        fedilink
        arrow-up
        3
        ·
        8 months ago

        I see. I don’t know that the usual drive encryption you set up during Linux install works with that, but there are BitLocker-like programs for Linux that might.

      • Jediwan@lemy.lolOP
        link
        fedilink
        arrow-up
        3
        ·
        8 months ago

        I don’t suppose you know of a tutorial to get this set up? Google turned up nothing.

    • Jediwan@lemy.lolOP
      link
      fedilink
      arrow-up
      2
      ·
      8 months ago

      as long as you don’t set a drive encryption password to be entered at BIOS load before the OS loads, which is what you’ve done.

      MacOS does ask for a different password during setup, which you never have to use again unless you want to access the drive on a different PC.