I recently switched to Linux (Zorin OS) and I selected “use ZFS and encrypt” during installation. Now before I can log in it asks me “please unlock disk keystore-rpool” and I have to type in the encryption password it before I’m able to get to the login screen.
Is there a way to do this automatically like with Windows or MacOS? Zorin has biometric login which is nice but this defeats the purpose especially because the encryption password is long and tedious to type in.
Also might TPM have anything to do with this?
EDIT: Based on the responses I have to assume some of you guys live in windowless underground bunkers sealed off with concrete because door locks “aren’t secure against battering rams”. Normal people don’t need perfect encryption they just want to add an extra hurdle or two for the crackhead who steals the PC. I assumed Linux had a system similar to what Windows or MacOS has been doing for a decade but I am apparently wrong.
But I’m confused, the decryption of the home directory needs the owners secret to be entered at some point? I don’t see how this solves Op’s problem (which I also don’t understand, you want encryption, you need to decrypt stuff at some point)
Yes, the question is when and how.
You can enter it in the bootloader as a prerequisite to boot anything. You can also enter it at the display manager / login screen, which is a little further down the boot process.
My desktop for example can boot up to the login screen and perform its NAS and routing duties all on its own. But my user and all of my user’s data is still locked at that point: the computer is usable by guests and everything but even if you manage to throw a root exploit at it, my data is completely safe. Only when I log in, either locally or remotely, my password will go through PAM which will run a script that uses my password to unlock my home directory and mount it as I’m logging in.
What changes is what is covered by the encryption, and when the key is required. My root is auto unlocked via TPM, my home is unlocked on demand as I log in to my user account.
OP’s problem is they have full disk encryption so they need the password to boot up Linux at all, but they also get a second password prompt to log in when it reaches the display manager, even if it’s the same password. The solution is either they configure it to auto login since you need a password for the whole OS anyway, or they automate the unlocking of the root partition and use their login password to further decrypt the home directory (or rely entirely on the system being secure that the user isn’t encrypted further and it’s just a password prompt, which is what I think Windows does).
I see, thanks for the explanation. After asking you I kept on reading the comments and understood how tpm helps with the auto decryption.
I still think full disk encryption with auto login is more than enough, at least that’s what I have, and as you can tell anyone can set that up easily.