Hello. You know that a "disadvantage" of wanting to have a LUKS volume decrypted at system startup is that a passphrase must be provided interactively. Since this is somewhat cumbersome, there are many methods that allow this passphrase to be indicated non-interactively using some type of keystore (systemd-cryptenroll, Tang/Clevis, etc). My question is: what is the point of having an encrypted disk, then, if it will be automatically decrypted when the system boots? A thief who steals my laptop with this automatic configuration would not have any impediments to accessing it! I'm missing some point here. Thank you so much
Well, first off, while you can configure it that way, I don't think that is the primary use-case. The primary one is <i>adding</i> a "something you have" factor to the "something you know" factor.<p>If you have servers in a controlled surveilled environment, you might be less worried about someone carrying a whole machine away, and you might be more concerned with someone just pulling a disk out and intentionally or unintentionally leaking the data.
If someone can infiltrate your DC and take out a 4u server, then you have bigger problems to worry about.
If it boots, then you (or the thief) needs to provide credentials. When not booted, the disk is encrypted so the thief cannot overwrite the /etc/shadow file.