I tried added a key file and even a password txt but both lead to it still asking for me to type in the password.
Is it because the drive is encrypted? I tried placing the files at /, /boot, /root, /etc
Edit1: I’ve tried to install dropbear and give it ssh keys. I will try to reboot in the morning and see what happens
Edit2: signing in via ssh just says port 22 rejected not working :(
This isn’t helpful. But genuine question. What is the point of encryption that auto unencrypts? When would it ever actually be securing the data?
Security is always about tradeoffs. On my home server unattended reboots are necessary so it needs to auto-decrypt. But using encryption means I don’t need to worry about discarding broken hardware or if I need to travel with the server were it may be inspected. For my laptop, desktop and phone where I don’t need unattended reboots I require the encryption key on bootup.
Thanks, both of your points are good. I was thinking about it in terms of what OP is trying to do. Having key on the same drive. Putting the key on a separate drive or even the cloud like someone else suggested makes sense. I have all of my computers on manual. Since I don’t have anything critical enough that it can’t wait till I’m back home to start it back up.
Yeah, I don’t think there are many benefits when keeping the key on the same drive. Other than a bit of obfuscation. It does still help with erasing, as you can wipe the keyslots (rendering the key useless) but with modern storage media deletion is fairly hard to ensure. But still better than unencrypted.
One place it would be useful is if you are worried about somebody breaking into your home and stealing your computer. Don’t store the key on the home computer, instead store it on a cloud server. The home computer connects to the cloud server, authenticates itself with some secret, then if the cloud server authorizes, it can return the decryption key.
Then if your computer gets stolen or seized, it’ll connect via a different IP and the cloud server can deny access or even wipe the encryption key.
this doesn’t protect against all risks, but it has its uses.
Example: https://www.ogselfhosting.com/index.php/2023/12/25/tang-clevis-for-a-luks-encrypted-debian-server
Thanks, I was thinking about it as if the key was stored on the same drive. Like OP is trying to do. Which I don’t think would help in the case of it being stolen. Or any case I can think of. But I see how A cloud key would make a lot of sense. And would be a good compromise on security vs convenience.
At least TPM is supposed to be tamper proof. So as long as you don’t login automatically your data should be secure.
It’s also useful to autodecrypt it temporarily to set up more secure decryption later. OEM installs often do this. I did it on my Steam Deck while looking for a way to enter a passphrase without a keyboard.
Depending on the attacker of course. If they can read your RAM after auto-decrypt they can just take the encryption key.
Though they should be able to do that with manually decrypted drives as well, if they can access the RAM, right?
Only if they gain possession when the device is running with the drive decrypted and they keep it running the whole time. That is a lot higher bar then being able to turn the machine on at any time and then recover the key. For example if this is a laptop that you are flying with. Without auto-decryption you can simply turn it off and be very secure. With auto-decryption they can turn it on then extract the key from memory (not easy, but definitely possible and with auto-decryption they have as long as they need, including sending the device to whatever forensics lab is best equipped to extract the key).
I’m doing this for when I’m out of town and want it to startup and open if the UPS loses power.