Full Drive Encryption without Passprompt

[BkkBonanza]

With Ubuntu encrypted home, when you login as a user it uses your login pwd to decrypt a stored key that is then used for encrypting/decrypting the home files. So you only login as usual to have access to your files. On disk without being logged in (as root even, or if mounted on another machine) the files remain encrypted.

If you put your sensitive files there then they should be safe unless a user can login.

Ecryptfs can be installed for alternate uses as well but the simplest ready-to-use mode is when chosen during install as encrypted home.

If you want to do this without requiring any kind of login then I don't see any way on any system that the encryption key cannot be found and used. It may depend on obscurity to hide away the key but someone with knowledge will know where to look. At some point there has to be something that decides who has access and who doesn't.

With Truecrypt I think the idea would be to store the auto-mount info in the users encrypted home so that logging in gets access to info needed to mount the Truecrypt drive.

[Entropy512]

Don't know what to tell you...
we use a product called safeguard (a windows only product) on laptops, etc (mobile devices). this product does full disk encryption (except for the loader) and can prompt for pre-boot authentication but we opt for it not to. as by encrypting the disk using password crackers are useless and unless you know the actual password for a account you are not gaining access to the data stored on the system.

Looking for a product offering the same level of protection for Linux/ubuntu.

Giving out the encryption key would provide the same level of access to someone mounting the drive as a secondary without encryption as they would have the key to un-encrypt the drive.
Lots of good that would do!!!

What you have described has to be one of the dumbest, most worthless FDE implementations I have ever seen if you have indeed described it correctly.

If it is able to decrypt the drive without prompting for a password, that means it is storing the key in the clear somewhere. So it is, at best, security through obscurity.

Unless you're not telling us something, such as whether it uses some sort of keyfile approach. (e.g. key stored on removable media)

To obtain the same level of protection (read - very little beyond just not encrypting it in the first place) in Linux, try seeing if dm-crypt will let you use a fixed key stored on the hard drive somewhere.