store it in tpm
Comment on Proper HDD clear process?
waspentalive@lemmy.one 6 months agoDoes one have to supply the password at each boot with what you are describing - this sounds like the password is somewhere in the partition table. If so what do I google to learn more?
vox@sopuli.xyz 6 months ago
rentar42@kbin.social 6 months ago
There's many different ways with different performance tradeoffs. for example for my Homeland server I've set it up that I have to enter it every boot, which isn't often. But I've also set it up to run a ssh server so I can enter it remotely.
On my work laptop I simply have to enter it on each boot, but it mostly just goes into suspend.
One could also have the key on a usb stick (or better use a yubikey) and unplug that whenever is reasonable.
IlliteratiDomine@infosec.pub 6 months ago
There are many ways to setups full disk encryption on Linux, but the most common all involve LUKS. Providing a password at mount (during boot, for a root partition or perhaps later for a “data” volume) but you can also use things like smart cards (like a Yubikey) or a keyfile (basically a file as the password rather than typed in) to decrypt.
So, to actually answer your question, if you dont want to type passwords and are okay with the security implementations of storing the key with/near the system, putting a keyfile on removable storage that normally stays plugged in but can be removed to secure your disks is a common compromise. Here’s an approachable article about it.
Search terms: “luks”, " keyfile", “evil maid”