[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Unlock LUKS with login/password

Le 08/03/2023 à 17:11, Adrien CLERC a écrit :


Le 08/03/2023 à 16:28, Alexey Kuznetsov a écrit :

I have an idea about how modern linux should work with encrypted LUKS partitions.


I'm using LUKS for a long time on both my personal (desktop) and professional (laptop) computers. Since they are single user (me), I use autologin in the display manager, lightdm in my case. Because there is only one slot configured in LUKS, I'm sure this is me, so lightdm can autologin safely.

However, you are proposing to solve the case for multiple user computers. In that case, I would think about a much simpler design:

- Remember which slot was used to unlock the LUKS root partition

- Make a map with slot -> user to autologin

- Autologin that user on boot

No more passing password, no more password update headache. But only a root user can update the map "slot -> user".

The issue with this approach is that you still need to enter a password for session keyrings (such as gnome-keyring). Ideally, the LUKS password would be forwarded to PAM (and automatically reused for logging in *and* unlocking the session keyring)

The issue is that the system (often plymouth on desktop/laptop setups) would then need to:
* unlock the filesystem
* initialize PAM straight away
* check the user password
* raise an error if either of the above fails, potentially locking the filesystem again if the password/encryption key is valid but does not match the selected user

Overall a nice idea, but not so simple to implement properly ;)



Reply to: