I swear this used to work but now it apparently doesn’t any more?
With Fedora at least, it used to be that if you installed with LUKS encryption and enabled auto-login, it’d set your keychain passphrase as your LUKS one, and fetch it at boot so the keychain would still be unlocked on startup/autologin.
Now, it seems to instead set the keychain password as the user login phrase you enter during the first boot setup wizard, and no matter what I do, it wont unlock with auto login now.
I’ve installed seahorse, and tried both manually changing the keychain passphrase back to the LUKS one, and also changing the user/login passphrase to match the LUKS and keychain one. I’ve even tried a totally fresh installation (on both 36 and 37), with all passwords set exactly the same
What gives? Was this deliberately changed ( I can’t find any reference to it)? Because it’s super annoying.
(No, don’t tell me to set it to have no password, thats stupid insecure, and yeah, I’m aware of the bug where PAM would capture incorrect passwords if you typed them in first - that’s not what’s going on here)
I don’t think so. Your keyring password needs to match your user account password or it won’t auto-unlock.
The trick is to make sure your user account password matches your LUKS passphrase. They’ve got to be the same. When they’re the same, everything will work properly.
The future strategy will be to use home directory encryption instead of LUKS, plus some separate encryption for /etc and /var, so that LUKS becomes a corner case that is no longer important. I don’t think we’ll ever be able to make LUKS user-friendly enough to be a default.
I’m not familiar enough with how this works (or is supposed to work) on Fedora and which components are involved in ensuring the password ends up in the kernel keyring by the time the GDM PAM module tries to read it, so I don’t want to point to anything specifically.