Hi all, that’s an annoying problem.
I recently bought an HP laptop that came with windows11. As there still are a few things I do on Windows, I decided to install Fedora 4 on an external USB4 SSD drive (Thunderbolt as well).
Everything went fine, but Cryptsetup does not remember the passphrase, so I have give it each time I boot Fedora. I don’t know if this behavior depends on where I installed Fedora, but How can I bypass it? Is there any configuration file that I can edit to write the passphrase in?
Thank you in advance to anyone that will answer me.
If that’s disk encryption, then this is expected behavior - it is required to enter passphrase to unlock storage before system can fully boot. That’s how “protection at rest” works - nobody can read encrypted data in a meaningful way until it is unlocked.
You can make Fedora to automatically login you to GNOME/KDE (tho it is not recommended), but you cannot “autounlock” your storage as that would defeat the purpose of storage encryption itself.
This adds convenience but reduces security (if device is booted - storage is unlocked). I’d rather use this method:
- Encrypt storage using LUKS2 and having good passphrase as a backup
- Enroll FIDO2 key (e.g., Yubikey) with PIN and presence detection setting to unlock storage to a different LUKS slot
This will add convenience (less than TPM, but still - 6 digit PIN should not be hard to remember) and adequate level of security because of 2FA (Having the physical key and Knowing the PIN code). In situations when FIDO2 key is unavailable (e.g., left at home) - user still can use passphrase to unlock storage.
Not a lot of people have, can afford and have access to a Yubikey and you can use this method while still setting a PIN, so you don’t have to type your LUKS password every time.
I agree. But without knowing exact threat vectors for @andreas574 , we simply guess what could be best . Sure, TPM with PIN is better than TPM without it. I just guess that users are at mercy of laptop/netbook/PC vendor which might provide TPM without PIN. Or that’s a mandatory part of TPM implementation?
Thank you all, I’ll try to follow your suggestions.
In any case, I don’t understand why in the cryptsetup pop-up window there is a checkbox to save the passphrase.
Would you mind sharing a screenshot of that, please ?
The first image is the windows that appears at startup or, in any case, the first time I try to access the encrypted disk, and, as you see, shows the checkbox.
In the second image I just pasted in my passphrase.
The third image is the window that pops-up immediately after, requesting the root password to decrypt the disk.
Is this your boot drive ? Or is this a partition with LUKS encryption ? Or an additional drive ?
P.S.: can you post here the output of
lsblk command (executed in the Konsole)
The encrypted disk is the internal drive of my laptop and is the bitlocker encrypted disk.
My fedora boot disk is an external USB drive (a thunderbolt4 one, for instance).
The output of lsblk:
OOPS, I see now that I left attached SDA, an external additional unencrypted drive
That third image is clearly on a partition
/dev/nvme0n1p3 which would probably be the btrfs partition.
No, it is an NTFS partition on the laptop internal disk.
it is nvme1n1p3
the btrfs partition on the usb external disk.