Is there a security risk with enabling autologin when you have disk encryption with LUKS enabled? If anyone gets hold of the PC, they have to enter the password needed for decrypting the disk.

  • GodIsNull@feddit.de
    link
    fedilink
    arrow-up
    20
    ·
    1 year ago

    I use autologin too with disk encryption and i don’t see an issue. If you have the encryption password nothing can stop you anyway. And if you put your computer in any sleep mode you have to login after waking up.

  • chayleaf@lemmy.ml
    link
    fedilink
    arrow-up
    5
    ·
    1 year ago

    it’s fine, but I recommend only enabling autologin at boot so you can lock the screen without shutting down the entire PC

  • FlexibleToast@lemmy.world
    link
    fedilink
    arrow-up
    4
    ·
    1 year ago

    You could potentially do it even better the other way around. You can use clevis and tang to have network bound disk encryption setup. That way, anytime you’re connected to your network the disk auto decrypts. For laptops, I like to put a decryption key on a USB drive that auto decrypts the drive. Network bound disk encryption doesn’t work over wifi and this way I can still have it decrypt on the go but lock it by removing the USB key (like if you leave the laptop in the hotel room just take the USB out and keep it with you).

    • thayer@lemmy.ca
      link
      fedilink
      English
      arrow-up
      6
      ·
      1 year ago

      I can’t speak for all methods but in the case of GNOME’s greeter, autologin doesn’t apply to remote sessions.

    • adzsx@infosec.pubOP
      link
      fedilink
      Deutsch
      arrow-up
      2
      ·
      1 year ago

      You mean SSH? I have it blocked by a firewall. Or do you mean anything else I am unaware of?

  • tal
    link
    fedilink
    arrow-up
    2
    ·
    edit-2
    1 year ago

    I’m not familiar with the environment, but depending upon how locked-down the system is and what permissions the auto-logged-in user gets, an attacker could use the session to modify the environment to grab the LUKS password for later collection.

  • thayer@lemmy.ca
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    I’ve used this workflow for years and like you said, any attacker would have to know your LUKS passphrase or catch your desktop while the screen is unlocked.