I am currently looking out for a disk / file-system encryption solution, on Linux, which would not require a password at every reboot instance.
While this will not prevent data theft if the entire system is snitched, it should at least ensure that data remains confidential if only the disk is attempted to be put on a different system.
The system has a
I looked at several solutions –
LUKS-dmCrypt : Whichever guide I have followed requires password upon boot. Further, encryption process requires a FS /volume format. Existing non-encrypted volume to encrypted seems like a complicated process which may be difficult to be carried out in an automated and unsupervised way. There are solutions such as this, which bypass boot password prompt by storing it in
TPMbut I am not able to verify the validity and risks of using something like this, which hasn’t many reviews or comments.
Veracrypt : Veracrypt has
TPMsupport, which I suppose does away for the need to provide a boot password, but Veracrypt Release Notes only show
Self Encrypting Disks : SED SSDs are a viable option, but even they require ATA password set in
BIOSand would prompt for a password. I am not sure if it’s possible to store the SED
TPMand whether it’s likely to solve the problem. I haven’t yet found any documentation from a manufacturer confirming this, searches on web have also proved futile.
Storing the password / key in an unencrypted, removable disk like pen drive : Not an option
Changing File system to another which allows something like this : Not an option. Only
Windows can enable drive level encryption and use
TPM for a silent boot, but am not sure what works on
Linux. Would like to use
SED SSDs, but would a
TPM solve the password at boot issue?
Haven’t much experience in the area, so any other suggestions / methods I can try out?