linux4noobs

4162 readers

4 users here now

linux4noobs

Noob Friendly, Expert Enabling

Whether you're a seasoned pro or the noobiest of noobs, you've found the right place for Linux support and information. With a dedication to supporting free and open source software, this community aims to ensure Linux fits your needs and works for you. From troubleshooting to tutorials, practical tips, news and more, all aspects of Linux are warmly welcomed. Join a community of like-minded enthusiasts and professionals driving Linux's ongoing evolution.

Seeking Support?

Mention your Linux distro and relevant system details.
Describe what you've tried so far.
Share your solution even if you found it yourself.
Do not delete your post. This allows other people to see possible solutions if they have a similar problem.
Properly format any scripts, code, logs, or error messages.
Be mindful to omit any sensitive information such as usernames, passwords, IP addresses, etc.

Community Rules

Keep discussions respectful and amiable. This community is a space where individuals may freely inquire, exchange thoughts, express viewpoints, and extend help without encountering belittlement. We were all a noob at one point. Differing opinions and ideas is a normal part of discourse, but it must remain civil. Offenders will be warned and/or removed.
Posts must be Linux oriented
Spam or affiliate links will not be tolerated.

founded 2 years ago

MODERATORS

PlutoParty@programming.dev

Is LUKS encryption with DE autologin safe? (piefed.social)

submitted 6 days ago by steel_for_humans@piefed.social to c/linux4noobs@programming.dev

10 comments fedilink hide all child comments

I'm on a desktop PC that's in my home office. I have personal documents and clients' intellectual property on it (source code, databases, documents, etc.). Hence, I like to use full disk encryption on all disks. Nobody else uses this PC besides me and it's safe at home. The only threat vector is if somebody gained access to my room and stole the computer. It's very remote, but still technically possible (if you think I'm exaggerating, I'd like to learn your opinion). Maaaaybe if I was sending the nvme for RMA, that's also a threat, but I have never had an SSD break on me. Never. I know it's anecdotal and sometimes they break, but I had multiple and I think it's such a small chance...

LUKS is a bit of a pain with having to type the passphrase on each boot. So I had it on auto-unlock via TPM, which works great when it works, but a) is also a pain when it breaks (usually due to system upgrade that changes something and I forgot to re-enroll the keys or re-generate the PCRs), b) according to Arch wiki it's unsafe, if anybody has physical access to my PC -- so essentially the only threat vector I was trying to protect myself against is not protected against.

But I was thinking -- I am OK with typing one password on boot. I just don't want to type two different passwords one after the other. What if I set autologin in my Desktop Environment (GNOME or KDE), but left LUKS locked down with a passphrase? Wouldn't that be safe? It's a single user system, nobody will use it. If it gets stolen, it's been shutdown and then they can't gain access because of LUKS.

Am I thinking correctly?

top 10 comments

sorted by: hot top controversial new old

[–] Dumhuvud@programming.dev 10 points 6 days ago (2 children)

Yeah, it is safe.

But last I checked, enabling autologin means your GNOME Keyring / KDE Wallet won't unlock automatically. Something to keep in mind.

[–] lost_faith@lemmy.ca 5 points 6 days ago (1 children)

Is that why my gf keeps getting that wallet thing on every reboot and I don't? She only wanted to put a password for updates (well not really but she has no choice) there is nothing on her pc but games, no personal info

[–] Dumhuvud@programming.dev 3 points 6 days ago

Yeah, that's most likely the reason.

[–] steel_for_humans@piefed.social 4 points 6 days ago (1 children)

That's a bummer. I still don't know what it's useful for, except for not having to type SSH passphrases. I think it doubles as a password manager? I don't need that, I use Bitwarden.

[–] Dumhuvud@programming.dev 4 points 6 days ago (1 children)

I think KDE stores Wi-Fi passwords in the wallet. Plus various third-party software may store its secrets in there.

[–] steel_for_humans@piefed.social 2 points 6 days ago (1 children)

Ok. That seems important then. Having to type the WiFi password would be even more annoying. :) The other part seems important, too.

Now it makes me wonder how non technical people who have auto login enabled deal with it. I mean, I'd expect it to work like on Windows.

[–] onlinepersona@programming.dev 1 points 9 hours ago

Windows is hella insecure

[–] clay_pidgin@sh.itjust.works 4 points 6 days ago

I don't know anything about anything, but as far as I know anyone with physical access to an unencrypted Linux computer can get in easily. I agree with you that auto login should be fine for your threat model.

[–] gnufuu@infosec.pub 3 points 6 days ago

What if I set autologin in my Desktop Environment (GNOME or KDE), but left LUKS locked down with a passphrase? Wouldn’t that be safe?

Probably safe enough

[–] swab148@lemmy.dbzer0.com 2 points 6 days ago

This is precisely what I do.