I have setup my fedora to use LUKS encryoted partitions. But entering two passwords gets quite tiring, as I shutdown my laptop quite often to get the benefit of LUKS (I am assuming nothing is encrypted when in suspend, please correctme if I am wrong)
I am thinking about setting up TPM autodecrypt. However, I was wondering does the decryption happen on boot or after I login?
If it happens on boot, then it seems like the benefit is pretty limited compare to a unencrypted drive. Since the attacker can simply boot my laptop and get the unecrypted drive.
Am I missing something here? I was wondering is there a way for me to enter my password once and unlock everything, from disk to gnome keyring?
I have MX Linux setup with LUKS/btrfs and it was asking password on boot, so I put my key in TPM and modified /etc/crypttab to retrieve it, at least I don’t have to enter it at any boot, but yeah it decrypts automatically, like Windows Bitlocker in fact, it still asks my user password login (my choice, no auto login here), but at boot you can break grub and have a root shell it you know how.
Other way is to put the luks key on a USB drive, when you leave home with your computer shutdown, take the USB key with you and that’s it.
The point of using the TPM is that it does not unlock the drive unless it has a certain set of software is loaded in a certain sequence on the machine with that specific TPM chip.
So if somebody breaks grub and makes it load a shell, then that results in different software loaded (or at least loaded in a different sequence) and will prevent the TPM to unlock the system. The same is true if somebody boots from a rescue disk (different software loaded) or when you try to unlock the disk in an unexpected phase of the boot process (same software but different sequence of things loaded, e.g. after boot up to send the key to some server on thr network. The key is locked to one TPM, so removing the drive and booting it in a different machine also does not work.
The TPM-locked disk is pretty secure, even more so than that USB idea of yours – if the system you boot into is secure. It basically stops any attacker from bringing extra tools to help them in their attack. All they have available is what your system has installed. Do not use auto-login or run some root shell in some console somewhere…