My favorite is KDE asking for user password upon waking from sleep even if you have autologin enabled.
So, all you have to do to circumvent the login window is to reboot.
Depends on your threat model. If you are defending against people stealing your hard drive and reading your data, then this is perfectly fine.
On a single user system which either hibernates or shuts fully down you might as well long in automatically after you type in your 16 character encryption pass phrase. A login screen does not in any way provide additional security. Note this doesn’t actually prevent you from locking the screen and unlocking still requires your password.
But I think ‘encrypt home directory’ only encrypts your home partition, not your root partition. Not sure why many distros offer only this option in the graphical installer
I join that my setup. Hibernate after 15min and disk encryption and autologin on boot, but password is asked when going out of sleep for the 15 first minutes.
I know this is a meme, but security is not binary. It is not you either have 100% or 0%, it is always a sliding scale, and usually on the opposite side is convenience.
Encrypting your drive protects against someone stealing your computer or breaning into youe house while the computer is off/locked.
People like to trash people that write down their passwords on a post-it note and keep next to their computer. It is not ideal, but having a somewhat complex password written down protects a lot more against attacks over the internet than having “password”. However, if others have physical access to the note then it is obviously very bad. Like for example in an office.
i work in IT at an office and i kid you not. some people really stick a post it with their full login to their screen. (not even their screen as they sit at different places every day)
I don’t like how writing down passwords on notes has been heavily criminalized. Obviously it’s a security risk, but so is having a simple password that isn’t written down anywhere. In fact, the latter is often more dangerous, depending on the specific environment. Just make sure the note isn’t easily accessible and you’re good.
Yup. The risk of someone breaking into your house and stealing your post-it note is vastly different from someone guessing your password, and the risk changes again when it’s a post-it note on your work computer monitor.
One of the best things you can do with your critical passwords is put them on a piece of paper with no other identifying information and then put that piece of paper in your wallet. Adults in modern society are usually quite good at keeping track of and securing little sheets of paper.
I’m paranoid, so I put mine on an encrypted NFC card that I printed to look like an expired gift card to a store that went out of business. It’s got what I need to bootstrap the recovery process if I loose all my MFA tokens (I keep another copy in a small waterproof box with things like my car title. It’s labeled “important documents: do not lose” and kept unlocked so any would be thief feels inclined to open it and see it’s worthless to them rather than taking the box to figure that out somewhere else. The home copy is important because there’s vaguely plausible scenarios where I lose both my phone and wallet at the same time. )
Stealing my laptop and getting my stuff is a significantly larger risk than me leaving my computer on and unattended without locking the screen.
Passkeys are a good trend because they’re just about the only security enhancement in recent memory that increases security and usability at the same time.
Encrypt whole hard drive?
Yes.Log in automatically?
Yes.With luks?
TPM or put a keyfile on the boot partition or into the initrd.
That would be the easiest solution, since it’s offered during install with many distros.
This is what I do. As far as I’m concerned, there’s my password and then there’s the one that’s a last “are you sure?” step before I sudo fuck shit up.
this is the way
(blank kwallet password + autologin)
I used to run as root until they made it pretty much impossible.
Yep. I have an overkill password for the drive on boot and a secure but easier to type one as my user password to unlock from sleep or sudo.
I wish I could set it to auto-login to a Lock Screen so all my preferred stuff starts up and is ready when I get there, but my computer is still locked against anyone trying to steal it and get easy access to it
You can literally do this. Just have a unit that locks the screen.
By “unit”, you probably mean a SystemD unit, right?
You can probably make your DE login in automatically, load the stuff, then log out
Is there any OS that allows this config?
At least with Linux, if I encrypt my hard drive, I have to enter my encryption password on every login, for some even during boot.
Not sure about Windows. I wpuldn’t be surprised if you can have bitdefender on with auto login.
By default, you never have to enter your BitLocker passphrase, since there’s usually no passphrase in the first place. The default configuration unlocks the drive automatically as long as it’s on the same network it was set up with. Otherwise you need the recovery key. You can also manually enable an unlock method, though on modern PCs there’s usually only PIN available.
On Linux, in theory you can have the exact same setup and nothing’s stopping you. However, depending on the distro it may or may not be easily configured. You can fairly easily set up automatic drive unlock with TPM, which essentially gives you a similar experience to the default BitLocker.
At least with Linux, if I encrypt my hard drive, I have to enter my encryption password on every login, for some even during boot.
Look up TPM.
Mine autodecrypts with a hardcoded password in a text file. I don’t really care about encryption right now, but the minute I do, it’s one file delete away.
There is a way, but no point in doing so. As such no OSes offer such an option out of the box. For file encryption to be of any use, you need there to be some kind of authentication before being able to access those files (like a password).
The easiest method would be to encrypt the entire drive, as modern Linux and Windows both support using the TPM for automatic unlocking. With that, set up standard user autologin and you’ve made the drive encryption useless.
What TPM does for automatic unlock when combined with secure boot is to record certain steps of the OS boot and check various file hashes, if they’re unchanged then it releases the decryption key. This doesn’t authenticate the user but it verifies disk integrity (making sure your OS boots normally without injected malware), so your login prompt security can’t easily be bypassed*
* this does not prevent hardware based attacks like malicious RAM sticks or DMA attacks if the firmware isn’t patched
Then you could also set up separate home folder encryption and tie unlock to entering your password at login, or for various types of automated logins you could use the TPM again, like through checking for presence of some device you carry (like a smartwatch, etc), or even use a physical security key with one touch login (preventing remote attacks)
You can have FDE binded to the TMP and then inside that encrypted volume an encrypted home.
By doing that you only need to input your login password and get better security than the meme setup and other suggestions.
You would need, iirc (I am typing this from memory):
- A TPM.
systemd-cryptenroll- Some PAM config for fscrypt or similar.
I know the steps but for NixOS only lmao.
From memory yes but the contents of your home directory are inaccessible until you enter your password via a popup. For whole drive encryption probably not.
I had configured this manually (incorrectly) in Arch a while back to have my home dir be on a separate encrypted drive.
Turns out the main drive didn’t get the memo and still had a home folder which worked fine, I thought it was working so I promptly forgot about it. Meanwhile the encrypted drive (which had only ever been unlocked that day and never again) had maybe 10 files on it that I didn’t even know it had until I swapped the drive into a different PC.
The password for the hard drive encryption and the system login are two separate things, so, yes, this combination is easily possible. You’ll have to input a password for system bootup, but not for logging in.
How advisable that combination is is another question entirely.
You’ll have to input a password for system bootup
Encrypted home dir, not the entire drive
Can do full disk encryption of root and auto-unlock with tpm, the auto-login is a separate thing and not necessarily the same password
You could configure the TPM to effectively store the LUKS key. User login is skippable. So yes, should be possible.
In Linux, Unlock the partition with secret key (easy) and skip login (easy). Overall: easy.
Yes, pretty much any Linux distro can be configured to encrypt just the home directory. Whole drive encryption is more common because it’s more secure, obviously.
I mean login automatically on boot but with encrypted drive is ok if you’re the only user. If someone got your encryption password, they can get your data. The user password doesn’t protect a shit
Now of course you want to still have auth when locking the pc
Just do full disk encryption + autologin. Done
I don’t log in automatically, but I do let my session login hold my password manager vault open.
Heh, I have done just this for a friend of the family on Linux mint Debian edition.
It works out alright but I always feel weird setting it up.I had made a little mistake after attempting to try out the experimental Cinnamon Wayland desktop on said machine & failed.
… Then boot looped … Because autologin was setup.
Tiny bit embarrassing. Oops. Better keep backup minimal CLI Linux installs to repair/restore on seperate partition but seperate drives are best.
Me logging in automatically but having my lockscreen autostart when my window manager starts (i just do it because it makes the login transition smoother compared to a display manager, and i’m the only person who uses my pc anyway).
