I recently switched to Linux (Zorin OS) and I selected “use ZFS and encrypt” during installation. Now before I can log in it asks me “please unlock disk keystore-rpool” and I have to type in the encryption password it before I’m able to get to the login screen.
Is there a way to do this automatically like with Windows or MacOS? Zorin has biometric login which is nice but this defeats the purpose especially because the encryption password is long and tedious to type in.
Also might TPM have anything to do with this?
EDIT: Based on the responses I have to assume some of you guys live in windowless underground bunkers sealed off with concrete because door locks “aren’t secure against battering rams”. Normal people don’t need perfect encryption they just want to add an extra hurdle or two for the crackhead who steals the PC. I assumed Linux had a system similar to what Windows or MacOS has been doing for a decade but I am apparently wrong.
On other operating systems, biometrics allow you to unlock the disk (through the TPM) and immediately authenticate you on boot. I don’t think an encrypted home directory will help OP.
I’m not aware of any Linux implementation of this system. I should also say that this is terribly broken on Windows, with any attacker being able to add their own fingerprints into the key store using an alternative boot drive, because every version of the spec is implemented horribly insecurely.
Fprintd is the only biometrics I know and hardware support is very limited. There are no easily accessible usb fingerprint readers either, which would allow easy testing and recommending.
I think if we could reverse engineer some kensington / etc. fprint sensor that would be huge.
Even the basic Synaptics sensor present in many laptops has its own “secure” protocol that Windows uses, and those laptops tend to be very popular with Linux developers. From what I can tell, fingerprint support is actually quite good in comparison to many other forms of niche hardware.
However, the super-modular everything-in-usespace Linux approach doesn’t really lend itself to the kind of security mechanisms Windows and macOS try to accomplish. Microsoft has SDCP, but that doesn’t protect them completely, in part because these devices allow insecure configuration methods to support Linux, in part because their firmware and security design is just not very good.
Someone writing a good SDCP driver for Linux would be a good start for getting Windows-like trust in biometrics so fingerprint hardware could refuse insecure configurations, but I don’t know if that’s something being worked on. As it stands, the Linux implementation is part of the reason why the Windows implementation can be bypassed with a screwdriver and a RPi…