I recently switched to Linux (Zorin OS) and I selected “use ZFS and encrypt” during installation. Now before I can log in it asks me “please unlock disk keystore-rpool” and I have to type in the encryption password it before I’m able to get to the login screen.

Is there a way to do this automatically like with Windows or MacOS? Zorin has biometric login which is nice but this defeats the purpose especially because the encryption password is long and tedious to type in.

Also might TPM have anything to do with this?

EDIT: Based on the responses I have to assume some of you guys live in windowless underground bunkers sealed off with concrete because door locks “aren’t secure against battering rams”. Normal people don’t need perfect encryption they just want to add an extra hurdle or two for the crackhead who steals the PC. I assumed Linux had a system similar to what Windows or MacOS has been doing for a decade but I am apparently wrong.

  • GolfNovemberUniform@lemmy.ml
    link
    fedilink
    arrow-up
    19
    ·
    edit-2
    9 months ago

    Afaik you can’t. Disk encryption requires entering the password every time and it asks for it BEFORE the OS is started so you can’t use biometric login either

    • Jediwan@lemy.lolOP
      link
      fedilink
      arrow-up
      9
      ·
      edit-2
      9 months ago

      That’s not technically true as enabling bitlocker on windows and filevault on Mac don’t require two different passwords.

      • visc@lemmy.world
        link
        fedilink
        English
        arrow-up
        12
        ·
        9 months ago

        Mac will ask you to “log in” very early in the boot process to decrypt the disk, I assume it keeps the drive key encrypted with your password somewhere.

        • Jediwan@lemy.lolOP
          link
          fedilink
          arrow-up
          5
          ·
          9 months ago

          That’s just not true I have two macs with it enabled on both and it requires a single “normal” password

          • GlitzyArmrest@lemmy.world
            link
            fedilink
            English
            arrow-up
            4
            ·
            9 months ago

            That’s likely because your Macs are using the TPM. Does your Linux machine have a TPM, and are you using it?

            • Jediwan@lemy.lolOP
              link
              fedilink
              arrow-up
              4
              ·
              edit-2
              9 months ago

              I don’t think so, they are both intel macs over 10 years old and Macs didn’t start adding TPM until 2017. On Mac, when you check the box to encrypt the drive during install you’re prompted for an encryption password which you never need to use again unless you remove the drive and put it into another mac (or in my case add a second hard drive and use the original as “extra” storage).

          • visc@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            ·
            9 months ago

            Yes normal password but it happens super early on mine, and once you log in there is a boot progress bar afterwards. This is an Intel Mac, might be different on apple chips.

      • GolfNovemberUniform@lemmy.ml
        link
        fedilink
        arrow-up
        6
        ·
        9 months ago

        Sorry idk much about Windows and Mac. But what you said sounds like their encryption systems aren’t full disk encryption, they somehow found a way to store the password for login or they just disable the login password completely when the encryption is enabled

      • Lodra@programming.dev
        link
        fedilink
        English
        arrow-up
        3
        ·
        9 months ago

        I recently dug into this because I accidentally trashed my wife’s OS which was encrypted with bitlocker. PITA btw and I couldn’t beat the encryption

        Bitlocker encryption key hash is stored in 2 possible places. First is an unencrypted segment of the encrypted drive. This is bad because it’s pretty easy to read that hash and then decrypt the drive. The second place is on a Trusted Platform Module (TPM) which is a chip on the motherboard. This is better because it’s much more difficult to hack. It can be done but requires soldering on extra hardware to sniff the hash while the machine boots up. Might even be destructive… I’m not sure.

        Either way a motivated attacker can decrypt the drive if they have physical access. For my personal machines, I wouldn’t care about this level of scrutiny at all.

        Anyways you can see if any open source solutions support TPM.