What's the point of automatic on-boot decrypting LUKS volumes?

3 pointsq2dg2y ago4 comments

Hello. You know that a "disadvantage" of wanting to have a LUKS volume decrypted at system startup is that a passphrase must be provided interactively. Since this is somewhat cumbersome, there are many methods that allow this passphrase to be indicated non-interactively using some type of keystore (systemd-cryptenroll, Tang/Clevis, etc). My question is: what is the point of having an encrypted disk, then, if it will be automatically decrypted when the system boots? A thief who steals my laptop with this automatic configuration would not have any impediments to accessing it! I'm missing some point here. Thank you so much

4 comments

yokaze2y ago

Well, first off, while you can configure it that way, I don't think that is the primary use-case. The primary one is adding a "something you have" factor to the "something you know" factor.

If you have servers in a controlled surveilled environment, you might be less worried about someone carrying a whole machine away, and you might be more concerned with someone just pulling a disk out and intentionally or unintentionally leaking the data. If someone can infiltrate your DC and take out a 4u server, then you have bigger problems to worry about.

q2dgOP2y ago

Ah, I see the point: the use case is not the robbery of a computer but the robbery of an encrypted disk alone. If it's extracted from its hardware key escrow environment (a TPM, for instance) then won't be able to boot. Aha! Thanks a lot!!

cobbaut2y ago

If it boots, then you (or the thief) needs to provide credentials. When not booted, the disk is encrypted so the thief cannot overwrite the /etc/shadow file.

q2dgOP2y ago

Yes, that's was the reason of my question: there are several mechanisms to not need to provide credentials anyway (interactively). But @yokaze has pointed to a situation where this has sense. Thanks!

j / k navigate · click thread line to collapse

What's the point of automatic on-boot decrypting LUKS volumes?

3 pointsq2dg2y ago4 comments

4 comments

yokaze2y ago

Well, first off, while you can configure it that way, I don't think that is the primary use-case. The primary one is adding a "something you have" factor to the "something you know" factor.

q2dgOP2y ago

cobbaut2y ago

If it boots, then you (or the thief) needs to provide credentials. When not booted, the disk is encrypted so the thief cannot overwrite the /etc/shadow file.

q2dgOP2y ago

Yes, that's was the reason of my question: there are several mechanisms to not need to provide credentials anyway (interactively). But @yokaze has pointed to a situation where this has sense. Thanks!

j / k navigate · click thread line to collapse