My work Windows 10 laptop can authenticate and unlock it’s encrypted disk without me needing to insert a pin after each reboot.
Is there a way to replicate this behavior on Leap? Can the disk be decrypted and the system boot up by connecting to an Active Directory, or in any other way?
Need to set up a Linux machine with fully encrypted drives but would be interested in finding a way where I would not need to remember the decryption key myself, and instead have it unlock after I log in to my domain.
Is it possible?
If you mean non-system data, it has always been possible to integrate unlocking of encrypted container into log in procedure with suitable PAM modules. If you mean system data, Windows can do unattended unlock only with TPM, it has nothing to do with active directory. I do not think it is supported by Linux.
How would you suggest resolving /tmp /var/tmp and swap partitions?
If I encrypt them will it be possible to share them between multiple users?
I do not wish for one user to have access to another user’s data, even the temporary files.
These days, I am using an encrypted LVM. So just about everything is encrypted.
Back, some time ago, I was using encryted “/home” and encrypted swap.
Here was my thinking at that time. I didn’t worry about the root partition, other than “/tmp”. There did not seem to be much that was sufficiently sensitive. And I had a similar view of “/var/tmp”.
I mounted “/tmp” using “tmpfs”. Roughly speaking, that uses memory and/or swap.
For swap. I encrypted that with a random key. The way that I set that up during install was to tell the installer to encrypt swap, but I did not fill in anything for the encryption. I have not tried that recently, so I don’t know if that still works.
The effect is that swap is encrypted with a random number. It will be different at each boot. And hibernation won’t work (which did not bother me).
I hope that’s helpful.
Hmm … you probably mean encrypted NTFS. Then you are right - files are transparently encrypted with key that is derived from Windows user credentials and are decrypted on every access, indeed making data unavailable to other users. I do not think there is anything equal in Linux (at least suitable for mass usage). There is support for encryption in ext4 and there are several projects to offer automatic key management as part of login session (like pam_e4crypt). But as far as I can tell, encryption in ext4 is per-directory so it cannot be used in shared environment like /tmp to make other user’s files inaccessible.
That was about full fdisk encryption with BitLocker. Again, there are projects that integrate LUKS with TPM, but none of them can probably be easily integrated in openSUSE, nor does it solve your issue of protecting against other user’s access.