I'm learning Linux administration on my personal Linux Mint machine, which has a fresh install with LVM and LUKS. The problem I'm facing is that I have to manually decrypt my drive every time I boot up. I did some research but didn't find a straightforward solution. Suggestions I've encountered include storing the keyfile on an unencrypted part of the drive or on a USB, but both of these options seem to undermine the security benefits of encryption. I've also tried using TPM for the keyfile, but it didn't work for me (probably due to a user error). Ideally, I would like the setup to function similarly to Bitlocker, where the key remains hidden without requiring additional hardware. Any advice?
5 Answers
I personally use Clevis and Tang, which allows me to bypass entering my passphrase when I'm at home. But when I’m out and about, I have to enter it every single time. It's a nice balance, although I wouldn't recommend it for laptops that aren't always connected to a network. For those, the other options might work better.
TPM worked out fine for me, but you should note that certain third-party at-boot kernel modules won’t work. I did this setup on my laptop running Ubuntu. Also, typing a lengthy password takes just a few seconds, but I totally get the hassle if your machine reboots and you're not there.
TPM with Linux can be challenging. My go-to solution is to keep the key file on a USB drive—it's like a poor man's Yubikey. Alternatively, you could just use an actual Yubikey. For me, I prefer typing my password every time, though.
Decrypting your disk at boot without entering a passphrase does undermine the need for encryption in the first place. It kind of defeats its purpose.
Using a combination of TPM and secure boot could mirror the Bitlocker experience. Another option is to use a Yubikey. Have you checked out resources on setting up TPM? There's a post here that might help you out.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures