from Hacker News

What's the point of automatic on-boot decrypting LUKS volumes?

by q2dg on 10/7/23, 11:10 AM with 4 comments

Hello. You know that a "disadvantage" of wanting to have a LUKS volume decrypted at system startup is that a passphrase must be provided interactively. Since this is somewhat cumbersome, there are many methods that allow this passphrase to be indicated non-interactively using some type of keystore (systemd-cryptenroll, Tang/Clevis, etc). My question is: what is the point of having an encrypted disk, then, if it will be automatically decrypted when the system boots? A thief who steals my laptop with this automatic configuration would not have any impediments to accessing it! I'm missing some point here. Thank you so much

  • by yokaze on 10/7/23, 1:03 PM

    Well, first off, while you can configure it that way, I don't think that is the primary use-case. The primary one is adding a "something you have" factor to the "something you know" factor.

    If you have servers in a controlled surveilled environment, you might be less worried about someone carrying a whole machine away, and you might be more concerned with someone just pulling a disk out and intentionally or unintentionally leaking the data. If someone can infiltrate your DC and take out a 4u server, then you have bigger problems to worry about.

  • by cobbaut on 10/7/23, 11:57 AM

    If it boots, then you (or the thief) needs to provide credentials. When not booted, the disk is encrypted so the thief cannot overwrite the /etc/shadow file.