Is Linux full-disk encryption with seamless user experience ala FileVault (macOS) or BitLocker (Windows) possible?
I've found some full-disk encryption (FDE) solutions for Linux OSes. Specifically, I've looked at solutions that work on Linux Mint or Ubuntu, since that's what I tend to use. But I'm sure this question applies to other distros, as well.
I'm looking for a full-disk solution that works as seamlessly for the user experience as it does with FileVault on macOS.
The FileVault experience is as follows:
- FileVault encrypts the whole disk. Doing so is a one-click operation in the prefs panel for Security.
- FV provides a pre-boot environment that unlocks a Mac equivalent of a Trusted Platform Module (it may actually be a TPM, but I don't think it is), which is the thing that locks up the key(s) that actually did the disk encryption
- When you log in, you actually log in to the pre-boot environment. This then unlocks FV's keys. Only then is the OS disk unlocked.
- The OS user's password is synchronized with the FV password; to the end user this is all seamless (except in a few use cases)
On Windows, BitLocker works with the TPM in much the same way as described above for FileVault.
On Linux, however, even with TPM tools installed, every full-disk encryption scheme I've encountered has required a boot password in addition to the login username and password.
For example, this (very well written and detailed) Linux Mint example:
https://community.linuxmint.com/tutorial/view/2026
In this example, (which is like a million easy-to-flub CLI steps, btw), FDE is done, but you can see the user has to type in a decryption passphrase into the Grub prompt on boot.
Has anyone cracked this nut for Linux?
Requirements
- User experience is such that user enters their login and password only once
- Full disk encryption (including boot partition)
- (Nice to have) Setup is easy, or, at the very least Simple(TM)
You can't encrypt the boot partition as you need to boot the pre-boot environment from it. Encrypting the boot partition does not help with anything.
Many standard Linux installs (including Ubuntu) allow you to select "full disk encryption" on boot, and don't require a grub password as part of the GUI. It does this buy loading the "pre-boot" environment from a ram disk and using this and LUKS to unlock the partition.
Once its booted there is there is typically a second step to log in as a particular user with password, however you can set automatic login to the GUI. Of-course, if you step away from your computer and left it in, your system is wide open.
Apparently (but I have not tested it), Ubuntu supports TPM 2.0 natively. (I confess to being skeptical this is automatically configured, but I've not tried it)