Synced LUKS Boot and User Passwords

I made a password change tool to keep your user password and encrypted boot password the same on Linux and made it available on GitHub.

I recently swapped to an Ubuntu Linux laptop as my main machine and wanted to make my boot and user login passwords the same as this would be a one-user machine. This was one thing I missed about my Mac, the boot experience where my boot password was the same as my user password and I was auto-logged in after booting but still had a password if I locked my screen.

The only real thing needed here was a tool to use instead of passwd that would push the new password to LUKS and the normal user password.

So I made a tool that effectively a wrapper around the native tools for each, and made it available on GitHub.

This should work on most Linux systems using LUKS and systemd, which is most of the mainstream ones these days. However I only have my Ubuntu laptop to test with.

I also changed the settings so that the desktop starts as logged in after boot with no password, so my user experience is that I type in the disk decryption key and it boots straight to my desktop. The password (or biometric) is still required to unlock the screen once it’s locked or the screensaver starts.

In the case of biometrics, Ubuntu offers it for the lockscreen if the hardware supports it. To enable biometric authentication for things like sudo or an “authentication required” screen I ran sudo pam-auth-update and enable my XPS’s fingerprint PAM module.

Update: I ended up undoing the enabling of biometrics pam module, as it seemed to make GUI logins unreliable when completely logged out

Photo Credit: https://www.flickr.com/photos/kevinshine/10597406823

Author

Eldridge Alexander

I am the Associate Director of Cloud Security at Gemini. Formerly employed at Duo Labs, Cloudflare and at Google. Technologist, magician, designer, musician, videographer, blogger, and avid sweet tea drinker.