That depends on the use case. For drive encryption, a centrally assigned and managed password is fine. It provides for protection of data at rest while also ensuring that a single point of failure (the user) won’t remove access to the data contained on the encrypted volume. Since it’s not intended to prove identity, that risk needs to be mitigated by a different control.
At most organizations I have worked at (both IT and cybersecurity), decryption keys will be centrally managed. With some technologies (e.g. Bitlocker), it’s possible to have multiple passwords which can be used to decrypt the drive, and it could be possible for the user to have one only they know. However, there isn’t a logging mechanism to verify which password was used to unlock the drive, leaving the issue of non-repudiation. This could probably be fixed by having some sort of system which logs which user unlocked the drive, but that would be a very hard thing to do securely. Any such log would need to be in a space the bootloader can reach and write to, and now that location needs to be secured in a way which prevents a malicious actor from modifying the log. At that point, we’re quickly arriving at having TPM and we might as well go whole hog and just do TPM and secure boot. Which is a great bit of technology; but, now only proves that the system hasn’t been tampered with.
As a tangent, the reason most organizations centrally manage drive encryption keys is the need to unlock the drive, in the event the user is no longer able to. If you win the lottery, turn your laptop in and run off to parts unknown, the organization may want to unlock the laptop to recover anything you were working on. So, they need access to the decryption key.
Ultimately the problem is that the encryption password and your user account password are solving different security problems and there isn’t a lot of good overlap between the two.
It’s Yahweh’s laws but the mythology has it provided by Moses in his sermons to the Israelites. As for Christians ignoring bits of it, part of that is based on saying attributed to Jesus in the gospels (e.g. the bit from Mark I quoted above) and also the simple fact that most religions update themselves as society changes. If anything, I think the Catholic church was smart to have a leader who could receive “new revelations from God”. It lets them update canon, while maintaining the illusion that they aren’t just making shit up to stay relevant.
I would be surprised if they were borrowing ideas from other cultures in the area (and vice versa). The various peoples in Mesopotamia were interacting regularly; so, some back and forth of ideas is to be expected. Though as a law code, Deuteronomy seems like it would be more home grown.
If the device is encrypted and single-user there is no good reason to require further login after the first.
The reason is non-repudation. Ignoring the fact that the drive’s encryption should have been handled by TPM and not be bothering the user, the drive encryption password does not establish who is using the laptop, only that they know the unlock password. Unfortunately, those unlock password are usually centrally assigned and managed, which means that they are not something that only the user knows. Also, it doesn’t have a good second factor. If the laptop is stolen, there is nothing keeping an attacker out, if they know the password. Their account, on the other hand, should have a password only the user knows. Yes, central IT can reset the password, but this creates logs which show the reset and can be used to prove that the password was reset, and who reset it. And the user’s password can be backed up with a second factor. So, a stolen laptop isn’t an easy on-ramp to the organization’s network.
As for logins after that, it gets harder to justify. OS, email and most web portal logins should be handled via SSO. For most users, this should mean that their drive gets decrypted via TPM, they type their password into the OS login prompt, deal with 2FA and that’s it. For users with admin access to stuff, there will be a separate login step when they need to elevate permissions, but that should largely be limited to IT staff and developers. For the original poster, it sounds like their organization’s IT is being run on a shoestring by someone who either doesn’t know or isn’t allowed to do it well.
Deuteronomy is originally from the Hebrew Bible. According to Jewish mythology, the book is from the sermons of Moses. Though, it’s believed to be much more recent (something like a 1000 years) than the time period where the figure of Moses (or the person(s) he was based on) would have existed. But, even taking Jewish and Christian mythologies at their word, Jesus had nothing to do with that rule. Also, Jesus probably meant for this rule to end for adherents of Christianity.
Mark 7:14-23:
14 Again Jesus called the crowd to him and said, “Listen to me, everyone, and understand this.
15 Nothing outside a person can defile them by going into them. Rather, it is what comes out of a person that defiles them.”
17 After he had left the crowd and entered the house, his disciples asked him about this parable.
18 “Are you so dull?” he asked. “Don’t you see that nothing that enters a person from the outside can defile them?
19 For it doesn’t go into their heart but into their stomach, and then out of the body.” (In saying this, Jesus declared all foods clean.)
20 He went on: “What comes out of a person is what defiles them.
21 For it is from within, out of a person’s heart, that evil thoughts come—sexual immorality, theft, murder,
22 adultery, greed, malice, deceit, lewdness, envy, slander, arrogance and folly.
23 All these evils come from inside and defile a person.”
So, feel free to boil a young goat in its mother’s milk. Jesus is A-ok with that.
Sorry, just recognized my typo, I meant to say “I wouldn’t be surprised…”., Not sure how I missed that.