Re: Unlock LUKS with login/password
Le 08/03/2023 à 17:11, Adrien CLERC a écrit :
Hello,
Le 08/03/2023 à 16:28, Alexey Kuznetsov a écrit :
Hello!
I have an idea about how modern linux should work with encrypted LUKS
partitions.
Hi,
I'm using LUKS for a long time on both my personal (desktop) and
professional (laptop) computers. Since they are single user (me), I
use autologin in the display manager, lightdm in my case. Because
there is only one slot configured in LUKS, I'm sure this is me, so
lightdm can autologin safely.
However, you are proposing to solve the case for multiple user
computers. In that case, I would think about a much simpler design:
- Remember which slot was used to unlock the LUKS root partition
- Make a map with slot -> user to autologin
- Autologin that user on boot
No more passing password, no more password update headache. But only a
root user can update the map "slot -> user".
The issue with this approach is that you still need to enter a password
for session keyrings (such as gnome-keyring).
Ideally, the LUKS password would be forwarded to PAM (and automatically
reused for logging in *and* unlocking the session keyring)
The issue is that the system (often plymouth on desktop/laptop setups)
would then need to:
* unlock the filesystem
* initialize PAM straight away
* check the user password
* raise an error if either of the above fails, potentially locking the
filesystem again if the password/encryption key is valid but does not
match the selected user
Overall a nice idea, but not so simple to implement properly ;)
Cheers,
Arnaud
Adrien
Reply to: