I have setup my fedora to use LUKS encryoted partitions. But entering two passwords gets quite tiring, as I shutdown my laptop quite often to get the benefit of LUKS (I am assuming nothing is encrypted when in suspend, please correctme if I am wrong)
I am thinking about setting up TPM autodecrypt. However, I was wondering does the decryption happen on boot or after I login?
If it happens on boot, then it seems like the benefit is pretty limited compare to a unencrypted drive. Since the attacker can simply boot my laptop and get the unecrypted drive.
Am I missing something here? I was wondering is there a way for me to enter my password once and unlock everything, from disk to gnome keyring?
Oh! That makes much more sense! Thanks!
Then I guess there is not much point in encrypting both the full disk and the home dir together then (if I trust gnome login screen cannot be by-passed), since the data is always encrypted when they are on the disk.
In a single user context where the only user is also the administrator, full disk encryption has no disadvantages to home directory encryption AFAIK.