Hello I have two SSDs in my laptop. One of them has Windows 11.
I selected disk encryption while installing OpenSUSE Slowroll onto the other SSD.
Something that annoys me is that the OpenSUSE boot menu asks for the encryption password even if I want to boot to Windows (on my other SSD) using the Windows Bootloader.
It would be nice to be able to wait until after selecting OpenSUSE to ask for the encryption password.
Is there a way to delay asking for the disk encryption password until after the operating system is selected?
As far as I know the EFI System Partition is unencrypted so I don’t see why the password is needed just to show the boot menu.
Your BIOS should be providing a boot menu, which would not require the password. On my system, I can access that by hitting F12 during boot (while the manufacturer logo is showing).
Your BIOS should be providing a boot menu, which would not require the password. On my system, I can access that by hitting F12 during boot (while the manufacturer logo is showing).
Yes, I know about this. Fedora has an unencrypted boot menu and when I was using Fedora it was faster to just use the grub2 boot menu to boot Windows than pressing F12.
Are you using btrfs and do you plan/need to use snapshot rollback?
I used the default options in “guided setup” which I believe is BTRFS for the operating system files and XFS for the home directory.
Is this protected by a PIN? If not, wouldn’t this mean the device can be decrypted by anyone with physical access to the machine or just plain denial of service by tampering the PCR values that TPM checks?
Does it fallback to password, I was thinking along the lines of change the boot order or reflash the UEFI and then the device is basically bricked.
But I suppose there’s a password fallback.
Though if there’s no PIN protection for the TPM, then anyone can get access to the data.
Fedora defaults to using Boot Loader Specification so menu entries are is on ESP. It is possible that SUSE will support it as well. Currently you can switch to systemd-boot with sdbooutil for snapshots support. Both are still experimental in openSUSE, although YaST just merged support for systemd-boot.
User passwords are a weak access barrier and not meant to protect the data, hence the need for FDE, but it defeats the whole purpose of having FDE when it auto-unlocks is all I’m saying
This should solve OP’s problem but there appears to be a lot of pending features though, some like lack of kdump makes it a no-go for me atm.
Whatever the solution is, I like the way Fedora lets me use the boot menu before it asks for a password.
This is OT, but can anyone tell me how to make the font larger on the password prompt? I have a 3.5k x 2160p monitor and the prompt asking for the password comes up very small. Maybe that’s a good thing Is this part of the grub2 menu? If so, can I make the font larger by editing the “grub” file.
Sorry, that’s no a answer for the main questions
wouldn’t this mean the device can be decrypted by anyone with physical access to the machine
I ask myself exactly the same question. Even so, for a non-beginner attacker, physical access is open door for all kinds of other corruptions, disk encryption or not, imagination is the only limit
Just for the example you give “reflash the UEFI” : even password protection on the BIOS can be bypassed by manually reboot the BIOS on the motherboard.
Of course, this is not to say that we should do nothing - quite the contrary. Rather, it’s about evaluating our threat model. To me, even for a lambda user (personal device with no sensitive activity), if laptop, the disk must be encrypted, as it’s much more exposed to physical access (lack of attention in uncontrolled places, theft, …).
And … @arvidjaar
I wonder how access to operating system was protected in the past before full disk encryption.
… Precisely, I think we are talking more about democratization of encryption than its availability. In past, there was less device, no laptop, other level of threats on data, … today it’s a “basic” for anyone with the slightest concern for his or her privacy.