Is there some way I can unlock my btrfs encrypted disk using a graphical unlocking screen.

Basically I was setting up an On-screen keyboard so that I can use my PC in case I do not have a keyboard available. Only problem in setup is that I can’t find anyway to use on-screen keyboard on that screen on which we enter password to decrypt disk.

Help please

  • Deckweiss@lemmy.world
    link
    fedilink
    arrow-up
    10
    ·
    edit-2
    8 months ago

    Not sure thats possible. But there are some workarounds like using a keyfile on a usb or a yubikey which can output a static password on longpress. Or some other hack-around.

    Some relevant search results, the first one seems especially promising:

    https://forum.garudalinux.org/t/unlock-luks-with-a-touch-screen-on-screen-keyboard/24208

    https://www.reddit.com/r/Fedora/comments/a22ehu/fedora_29_luks_passwd_on_boot_with_touchscreen/

    https://www.reddit.com/r/SurfaceLinux/comments/9g5ooa/onscreenkeyboard_for_lukslvm_encryption/

    https://github.com/r-pufky/wireguard-initramfs

  • Björn Tantau@swg-empire.de
    link
    fedilink
    arrow-up
    5
    ·
    8 months ago

    tldr: Use systemd-boot instead of grub to boot. And then unl0kr to give you an on-screen keyboard.

    A little more technical:

    Are you intending to use unl0kr for decryption? I used that on my Steam Deck. Whatever you use, it cannot use your normal graphical login. It has to be packed into the kernel’s initrd because when you want to decrypt your drive nothing else is available. I used unl0kr.

    You cannot use grub unless you have /boot on an unencrypted partition. Because grub has its own decryption process which is very minimal. It does not have access to the kernel (which leaves you without any hardware acceleration for the decryption, making it very slow.

    Systemd-boot works by putting the kernel and initrd on the unencrypted EFI partition on /boot/efi.

    So you can either use grub with an unencrypted /boot or systemd-boot with everything copied onto EFI. Whatever you use, try to get to a state where you’re greeted with a slightly more pleasing passphrase entry, maybe on a plymouth bootscreen, instead of grub’s own ugly entry screen.

    When you have come so far you can try to get unl0kr to work.

    I don’t have the energy to type more but hopefully this can steer you in the right direction. Your actual login manager or desktop environment don’t factor into this at all.

    If you do want to only see the login prompt from your login manager you have to store the decryption key in TPM. No idea how that is set up but automatic decryption without typing in a passphrase sounds iffy to me.

    • EtherWhack@lemmy.world
      link
      fedilink
      arrow-up
      5
      ·
      8 months ago

      They’re using full disk encryption, which won’t let any part of it be read (even its partition table to boot the OS) until a password is entered. A system using FDE will go straight from POST to a password prompt.

      A lot of people like FDE as it makes the encryption completely invisible to the OS and would normally have zero compatibility issues be problem-free.