By default, you never have to enter your BitLocker passphrase, since there’s usually no passphrase in the first place. The default configuration unlocks the drive automatically as long as it’s on the same network it was set up with. Otherwise you need the recovery key. You can also manually enable an unlock method, though on modern PCs there’s usually only PIN available.
On Linux, in theory you can have the exact same setup and nothing’s stopping you. However, depending on the distro it may or may not be easily configured. You can fairly easily set up automatic drive unlock with TPM, which essentially gives you a similar experience to the default BitLocker.
Mine autodecrypts with a hardcoded password in a text file. I don’t really care about encryption right now, but the minute I do, it’s one file delete away.
From memory yes but the contents of your home directory are inaccessible until you enter your password via a popup. For whole drive encryption probably not.
I had configured this manually (incorrectly) in Arch a while back to have my home dir be on a separate encrypted drive.
Turns out the main drive didn’t get the memo and still had a home folder which worked fine, I thought it was working so I promptly forgot about it.
Meanwhile the encrypted drive (which had only ever been unlocked that day and never again) had maybe 10 files on it that I didn’t even know it had until I swapped the drive into a different PC.
There is a way, but no point in doing so. As such no OSes offer such an option out of the box. For file encryption to be of any use, you need there to be some kind of authentication before being able to access those files (like a password).
The easiest method would be to encrypt the entire drive, as modern Linux and Windows both support using the TPM for automatic unlocking. With that, set up standard user autologin and you’ve made the drive encryption useless.
What TPM does for automatic unlock when combined with secure boot is to record certain steps of the OS boot and check various file hashes, if they’re unchanged then it releases the decryption key. This doesn’t authenticate the user but it verifies disk integrity (making sure your OS boots normally without injected malware), so your login prompt security can’t easily be bypassed*
* this does not prevent hardware based attacks like malicious RAM sticks or DMA attacks if the firmware isn’t patched
Then you could also set up separate home folder encryption and tie unlock to entering your password at login, or for various types of automated logins you could use the TPM again, like through checking for presence of some device you carry (like a smartwatch, etc), or even use a physical security key with one touch login (preventing remote attacks)
The password for the hard drive encryption and the system login are two separate things, so, yes, this combination is easily possible. You’ll have to input a password for system bootup, but not for logging in.
How advisable that combination is is another question entirely.
Yes, pretty much any Linux distro can be configured to encrypt just the home directory. Whole drive encryption is more common because it’s more secure, obviously.
Is there any OS that allows this config?
At least with Linux, if I encrypt my hard drive, I have to enter my encryption password on every login, for some even during boot.
Not sure about Windows. I wpuldn’t be surprised if you can have bitdefender on with auto login.
By default, you never have to enter your BitLocker passphrase, since there’s usually no passphrase in the first place. The default configuration unlocks the drive automatically as long as it’s on the same network it was set up with. Otherwise you need the recovery key. You can also manually enable an unlock method, though on modern PCs there’s usually only PIN available.
On Linux, in theory you can have the exact same setup and nothing’s stopping you. However, depending on the distro it may or may not be easily configured. You can fairly easily set up automatic drive unlock with TPM, which essentially gives you a similar experience to the default BitLocker.
Look up TPM.
Mine autodecrypts with a hardcoded password in a text file. I don’t really care about encryption right now, but the minute I do, it’s one file delete away.
From memory yes but the contents of your home directory are inaccessible until you enter your password via a popup. For whole drive encryption probably not.
I had configured this manually (incorrectly) in Arch a while back to have my home dir be on a separate encrypted drive.
Turns out the main drive didn’t get the memo and still had a home folder which worked fine, I thought it was working so I promptly forgot about it. Meanwhile the encrypted drive (which had only ever been unlocked that day and never again) had maybe 10 files on it that I didn’t even know it had until I swapped the drive into a different PC.
You can have FDE binded to the TMP and then inside that encrypted volume an encrypted home.
By doing that you only need to input your login password and get better security than the meme setup and other suggestions.
You would need, iirc (I am typing this from memory):
systemd-cryptenrollI know the steps but for NixOS only lmao.
There is a way, but no point in doing so. As such no OSes offer such an option out of the box. For file encryption to be of any use, you need there to be some kind of authentication before being able to access those files (like a password).
The easiest method would be to encrypt the entire drive, as modern Linux and Windows both support using the TPM for automatic unlocking. With that, set up standard user autologin and you’ve made the drive encryption useless.
What TPM does for automatic unlock when combined with secure boot is to record certain steps of the OS boot and check various file hashes, if they’re unchanged then it releases the decryption key. This doesn’t authenticate the user but it verifies disk integrity (making sure your OS boots normally without injected malware), so your login prompt security can’t easily be bypassed*
* this does not prevent hardware based attacks like malicious RAM sticks or DMA attacks if the firmware isn’t patched
Then you could also set up separate home folder encryption and tie unlock to entering your password at login, or for various types of automated logins you could use the TPM again, like through checking for presence of some device you carry (like a smartwatch, etc), or even use a physical security key with one touch login (preventing remote attacks)
The password for the hard drive encryption and the system login are two separate things, so, yes, this combination is easily possible. You’ll have to input a password for system bootup, but not for logging in.
How advisable that combination is is another question entirely.
Encrypted home dir, not the entire drive
Can do full disk encryption of root and auto-unlock with tpm, the auto-login is a separate thing and not necessarily the same password
You could configure the TPM to effectively store the LUKS key. User login is skippable. So yes, should be possible.
In Linux, Unlock the partition with secret key (easy) and skip login (easy). Overall: easy.
Yes, pretty much any Linux distro can be configured to encrypt just the home directory. Whole drive encryption is more common because it’s more secure, obviously.