florianlackner
/posts /about /contact

Linux Without Passwords

Posted on April 7, 2026  · 4 min read  ·  #fido  #linux  #security 

 Table of Contents

I hate typing passwords. I think everybody does. I fat-finger one wrong letter nearly every time I enter one. What a colossal waste of time.

And then there’s the security aspect. Passwords are bad and I’m going to great lengths to get rid of them.

Today I’m going to share how I achieved a passwordless experience on my Linux machine.

There are several distinct parts of a Linux session where a password might be needed and could be replaced. I’ll treat them one-by-one. They are usually orthogonal, so each of them can be applied independently of the others.

Data at rest

That’s our data when the machine is switched off. This is more important for portable devices than for desktop PCs. However, it’s good practice to care anyway. The standard technology on Linux to encrypt data at rest is LUKS. I’m using it for my hard drive and my backups.

I followed this great tutorial (German) to setup systemd-cryptenroll with my FIDO hardware security tokens. I’ve set it up in a way where I need to enter the PIN of my FIDO token. I feel like that’s a good compromise, because I don’t reboot my PC super often and the added security seems worth the hassle of typing the PIN.

It worked like a charm. I’ve enrolled both of my tokens. I still have my password in case something goes horribly wrong or in case I don’t have my key on me. I’ve never used it since I’ve completed the setup though.

User session

Linux is a multi-user system. Users have to authenticate with the system. This stops other users from logging into accounts that don’t belong to them. The classic way to authenticate is via passwords. But Linux supports many more methods.

Enter PAM, a modular framework for user authentication in Linux. You can create all sorts of crazy flows, where a user needs a password AND a second factor token, or a GPG identity, etc.

However, I want a simple one:

  1. Ask the user for a FIDO access token. If that works authenticate them.
  2. Fallback: Ask for a password.

I followed this very nice tutorial to set it up. Took a couple of minutes and worked instantly.

Crucially, I don’t require a PIN for PAM authentication. This means that I only need to touch the token whenever I’m unlocking my display, using sudo, etc. This is very convenient and in my opinion safe enough, since I require the PIN to boot my laptop and since I carry the security token with me all the time.

GNOME keyring

GNOME keyring is the secrets service of the GNOME desktop. That’s where applications store secrets, for example your Mail program would store your account credentials there. The GNOME keyring is password-protected. However, once unlocked every program running under your user can access all secrets in the keyring. That’s quite different from how other systems like Android or MacOS work. And honestly, it doesn’t follow best practices. There’s a plan to improve matters but that’s going to take a while.

The password serves as a data at rest protection only. The classic setup re-uses the user password for the keyring. GDM will automatically unlock GNOME keyring in this case. But do we need data at rest protection? In my case no, because:

  1. The whole system is protected via LUKS.
  2. Only I have access to the LUKS volume.

So, the solution is simple: Remove the password. How beautiful.

Summary

When I boot my system, I enter my PIN and touch the token. My user has autologin enabled, so that’s enough to arrive at a working desktop. Any further action, like sudo or a screen unlock, require a mere touch of the token.

Frankly, I started the passwordless journey to improve security. Security improved, that’s clear, but I also got an additional huge benefit. It’s so convenient. A game changer. I will never go back to passwords.

In the series Modern Digital Identity: