I'm running Linux Mint on my personal machine, and I'm eager to learn more about Linux administration. I have a fresh setup with LVM and LUKS, but my main challenge is that I have to manually decrypt the drive every time the system boots. I've done some online searching and even chatted with AI about this, but I didn't find any solid solutions. Some of the suggestions I found included:
- Storing the keyfile on a non-encrypted part of the drive, but that seems to undermine the security.
- Using a USB drive to store the keyfile, which also feels risky in terms of losing the benefits of encryption.
- Utilizing TPM for the keyfile, but I had issues with that (probably user error).
Ultimately, I want a setup similar to Bitlocker where the encryption key isn't accessible without some authentication, and no extra hardware is needed. Any advice?
5 Answers
I actually use clevis and tang for my setup. It allows me to skip the manual entry at home, but I need to type it in if I'm out and about. It's a nice balance! Just keep in mind this might not be ideal for laptops or mobile devices that aren't always connected to a network.
I was interested in that option, but reading through the details got super complicated for me!
I've come across a useful post about implementing TPM for disk decryption; it might not be Mint-specific, but it's worth a look! [Link to resource]
That looks like something I can work with! Appreciate the link!
Honestly, using TPM with Linux can be tricky. My go-to is just putting the keyfile on a USB drive and keeping it handy. Kind of like a budget YubiKey. If you're really struggling, typing in your password every boot might be the simplest option.
I appreciate knowing I'm not the only one! It's good to hear I'm not missing some crucial step.
For the best security, I would recommend going with TPM and secure boot, which is comparable to Bitlocker. Alternatively, using a YubiKey could also work well as a second option.
I see your point, but if you can auto-decrypt the disk at boot, it does undermine the encryption benefit, right? Just saying it sounds like counterproductive security.
Yeah, that's the core issue. I understand the convenience, but it doesn't really align with encryption principles.
But Bitlocker manages something similar—this is the kind of experience I'm trying to replicate.
Yeah, I would agree with that—network-bound disk encryption has its limits if you're using a mobile device. The other methods you mentioned seem safer for portable setups.