Passwordless disk encryption on Linux

1 week, 6 days ago


My Linux installation is encrypted but boots without a password. Here's how that works.

I just got a new PC! It's full of rainbow LEDs, and the hostname is bifrost: my rainbow bridge to the world. Also because I love The Mechanisms. I have Ubuntu for most things, and Windows for gaming, X-Plane, etc. New installations are a good time to get security set up properly, so I've been looking at Secure/Measured Boot and disk encryption. This is mainly going to be a link to Kyle Rose's guide, but here are some quick definitions and a bit more context of what I wanted:

For this single-user, personal, home machine, my main threat model is that eventually it gets stolen and someone decides it's worth trying to extract the data from it. So I want the disks to be encrypted, but it's also useful to me if the OS can safely boot as far as a login screen before requiring me to enter a password. I consider this safe enough if Secure Boot ensures it's running my unaltered installation with a decent login password. Windows 10 achieves this if you enable BitLocker, and I wanted the same on Linux.

Flow chart of boot process from firmware to decrypting storage

Time to utter the cursed words… "how hard can it be?" Not that hard, it turns out! I installed Ubuntu 20.04 via UEFI, chose encryption at the disk partitioning stage, and followed the prompts about Secure Boot. That gives you an OS that will boot with Secure Boot enabled and can sign modules for you (although e.g. initrd can be tampered with) and it prompts for a password to decrypt the disk. So the main thing to do from there is to put an extra LUKS key into the TPM, and set it up to be used automatically.

At this point Kyle Rose's guide to measured boot setup contains all the heavy lifting code, and I won't repeat it all here, but there were some slight differences for me:

But otherwise, that's it, it seems to be working. This is the first time I've attempted this so there may be mistakes; corrections welcome.


There are currently no comments

New Comment


required (not published)