Why does Qubes have 2 passphrases? (disk encryption & login)

I’ve always wondered why there are two passphrases: one for the disk encryption and one for the user account.

Is there any particular reason why one can’t just have the same password for both and have autologin? For non-technical users this would be a major step in making Qubes a bit less weird.

3 Likes

Is there any particular reason why one can’t just have the same
password for both and have autologin? For non-technical users this
would be a major step in making Qubes a bit less weird.

You can today and don’t even need two passphrases. Simply edit
/etc/lightdm/lightdm.conf and set

autologin-user = user
autologin-user-timeout = 0

That way you’ll boot right into XFCE after unlocking the disk. Doing so
for years. I see no point in having to authenticate right after
authenticating.

UPDATE: I see myself convinced by new evidence and will disable autologin immediately. I would also strongly recommend anyone reading this to not enable it or if already using it to disable immediately.

4 Likes

Regarding the first question, for users already using PS/2 keyboard (or one that doesn’t go through usb) I don’t see any downsides to use the same passphrase, actually it’s probably better for the user so they can use an strong single password instead of 2 that could be weaker in order to remember it. If using usb controller, then the issue is a bit more complicated as compromising sys-usb could lead to some sophisticated attacks where the password is keylogged while entering on the screensaver and if the attacker can get it out of sys-usb, they could decrypt the system if having physical access to the computer.

This can be mitigated though, using disposable sys-, minimal templates for sys-, and if available, creating another sys-usb that will host they keyboard only with a dedicated usb controller.

Regarding the second question, I agree with @Sven and completely see no downside to have it enabled by default, after all, the user just entered the decryption password a few seconds ago (and with the system decrypted you can do anything)

2 Likes

I’d like to agree, but did experience some X crashes/unexpected restarts in the past that would have left the desktop unprotected with autologin.

Most screensavers are X child processes that terminate on X shutdown.

If you run a non-X screensaver (e.g. physlock), you might be better off.

As usual, it’s just another layer of protection.

See it like deeplow and understand Sven’s view. So in the end - a single checkbox (for autologin) during installation would do it for (new) users I guess.
In the end it depends to everyone, how to use qubes in the end. Yes, and if you get a checkbox during install, you also should have a checkbox in settings to disable auto login again.
Just to pass the editing of /etc/lightdm/lightdm.conf comfortable.

1 Like

This is exactly it. Actually I found a github issue related to this :slight_smile:

1 Like

Picking up the original question, I’m surprised this is thought to be
weird. It depends on where you are coming from, I suppose.
It’s common in Linux, often seen in Windows, and even in Macs if you use
FileVault.

Why are there two passphrases? Because they serve different purposes.
The disk passphrase unlocks your disk. It protects you against someone
grabbing your machine while it is down, and accessing the data.
The user password (primarily) protects your system when you are using
it, but have stepped away. It unlocks an already decrypted system.

Why have separate passphrases? Just an added layer. Anyone watching you
during the day is likely to pick up your user password, unless you take
defensive measures. They only get one chance to grab your disk
passphrase.

Autologin is great if you can guarantee that you will always
be present after entering decryption. If the routine goes:

  1. Enter decryption passphrase.
  2. Get another cup of coffee.

  3. Not so great.
1 Like

Two things:

  • FileVault forces you to use your user password for the exact reason (it will log you straight in after you unlocked the disk)

  • I am unclear on this: if my screen is lcoked, can a attacker crash X11 and does that really result in an autologin?

If you care about your security so much, you should just never leave your laptop unattended without a password. I don’t see how the second password will stop a dedicated attacker, when you hard drive is unencrypted.

For most people, the autologin saves a lot of unnecessary troubles. Currently, enabling it is not a user-friendly pocedure. I would make it default.

1 Like

Yes.

I e.g. observed Xorg crashes whenever I put my laptop in my dock - pretty
simple 1min attack for an attacker. So re-initializing faulty display drivers are a good bet to crash Xorg.

2 Likes

I see myself convinced by new evidence and will disable autologin immediately. I would also strongly recommend anyone reading this to not enable it or if already using it to disable immediately.

1 Like

Shouldn’t you just never rely on the screen lock and switch off your laptop when unattended? How autologin will harm here?

2 Likes

I can only answer for myself. When I am going away for a longer period or I move the computer of course I power it off … never suspend.

But as @unman pointed out … what about the bathroom break or fetching another coffee? At home that might not be an issue, but at the office you lock the screen … shutting the whole thing down every time you leave your desk seems unpractical.

1 Like

Which is why hibernation/hibernation-emulation or suspend with hard drive encryption should imho have higher priorities. Second passphrase is just a security theater in my opinion. I would certainly prefer the first, since it also provides a possibility to switch the device off without losing the state.

1 Like

just a sidenote & off topic:
IF I let my desk open (even just for a toilet break or fetching another cup of coffee), we (at DHL office) agreed, somebody other (who finds the desk open) can leave a full Pizza order for the entire department ON MY name…

This happened to me once! Guess what I do now, every time?

1 Like

I agree completely with you, honestly I don’t see any issue with autologin either. If the issue is with X.Org crash then how is disabling autologin going to help after you manually lock the screen? If we’re talking about boot, then you either: a) don’t leave your computer while it’s booting up b) if you really need to leave, force shutdown and resume later

I think the point was that you could crash it and it would restart and automatically log in. There is a difference between crashing just XScreensaver, which is more difficult, and crashing everything, which apparently (see a comment above) can be much easier.

Is there a way to reproduce the behavior you’re mentioning? I just did some tests killing X.Org and when it restarted I was in the Greeter screen being asked to log in, autologin didn’t happen like when booting up first time.

(see a comment above) can be much easier.

Exactly.

So if you want autologin, you better disable Xorg auto restarts (probably
somewhere in the systemd config). That should in theory leave the system at a PAM logon or an unusable console on X restart. You should probably test that though…

Having that as default… I don’t know. Automatic X restarts can also be useful and scare users less than a black blinking screen (“Why are my windows gone? Am I pwned? Is Qubes broken?” etc.).

Currently, the second passphrase is used for two different things: (1) logging into the desktop environment (Xfce4 by default) and (2) the screen locker (XScreenSaver by default).

Are you only referring to (1), or are you also saying you don’t believe screen lockers provide any security benefit at all?

1 Like