Written by mrtorrent the 27 Jul 11 at 08:40.

Require a user to login (e.g. by entering their username and password, plugging in a key device, etc.) at the beginning of the boot process and use these credentials to both decrypt the disk and log the user in, thereby cutting down authentication to a single step and allowing the boot process to complete without further user intervention. This would also eliminate the need for disseminating a shared secret (the encryption key) and open up the possibility of managing which users have permission to decrypt the disk.

I believe the rough technical implementation would be to store the encryption key for the disk on the boot partition, itself encrypted by each user's login credentials.

There of course should be options to use the old method of entering a passphrase, or a security device, or some combination of methods.

This is all inspired by the release of Apple's most recent OS version, Lion, which handles full-disk encryption in roughly this way, and is therefore a lot more usable.

Require a user to login (e.g. by entering their username and password, plugging in a key device, etc.) at the beginning of the boot process and use these credentials to both decrypt the disk and log the user in, thereby cutting down authentication to a single step and allowing the boot process to complete without further user intervention. This would also eliminate the need for disseminating a shared secret (the encryption key) and open up the possibility of managing which users have permission to decrypt the disk. I believe the rough technical implementation would be to store the encryption key for the disk on the boot partition, itself encrypted by each user's login credentials. There of course should be options to use the old method of entering a passphrase, or a security device, or some combination of methods. This is all inspired by the release of Apple's most recent OS version, Lion, which handles full-disk encryption in roughly this way, and is therefore a lot more usable.

Written by ester4 the 31 Aug 11 at 10:18.

For those users on multi-user machines, the account login could serve as the decryption key and account login.

But for single-user machines with a really long decryption key password (like 50 digits), then the account-login could be told to auto-login. This auto-login would functionally behave exactly like if the user had typed in the account-login.

For those users on multi-user machines, the account login could serve as the decryption key and account login. But for single-user machines with a really long decryption key password (like 50 digits), then the account-login could be told to auto-login. This auto-login would functionally behave exactly like if the user had typed in the account-login.

Written by cfwk the 28 Sep 11 at 23:40.

Use TokenTube: http://sourceforge.net/projects/tokentube/
This solution already suppports PreBootAuthentification and an unlimited number of users for LUKS/dm-crypt encryption.

Use TokenTube: http://sourceforge.net/projects/tokentube/ This solution already suppports PreBootAuthentification and an unlimited number of users for LUKS/dm-crypt encryption.