However: Apple devices also need PIN/password for the first login after reboot. Only after that, you can use biometrics for unlocking. (Windows Hello is different in that regard, but also considered much less secure, even though it is tied to the TPM 2.0.)
The same should work on a laptop with Gnome. When you log in the first time, it asks for the keyring password. But when the laptop is running or sleeping, you can unlock with biometrics because the keyring is already unlocked.
I wish I could login and unlock the keyring on Gnome with my PGP smartcard. Authentication with PAM (libpam-poldi) works, but unfortunately no one wrote the glue code for unlocking the keyring. It would be a perfect setup to decrypt both LUKS and later the keyring with PGP. Many people have Yubikeys, Nitrokeys etc. nowadays.
Power management, mobile and firmware developer on Linux. Security developer at Aurora. Ex-biologist. mjg59 on Twitter. Content here should not be interpreted as the opinion of my employer. Also on Mastodon.
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Apple devices also need PIN/password
Date: 2023-12-05 07:19 am (UTC)However: Apple devices also need PIN/password for the first login after reboot. Only after that, you can use biometrics for unlocking. (Windows Hello is different in that regard, but also considered much less secure, even though it is tied to the TPM 2.0.)
The same should work on a laptop with Gnome. When you log in the first time, it asks for the keyring password. But when the laptop is running or sleeping, you can unlock with biometrics because the keyring is already unlocked.
I wish I could login and unlock the keyring on Gnome with my PGP smartcard. Authentication with PAM (libpam-poldi) works, but unfortunately no one wrote the glue code for unlocking the keyring.
It would be a perfect setup to decrypt both LUKS and later the keyring with PGP. Many people have Yubikeys, Nitrokeys etc. nowadays.