top | item 28628569

(no title)

The solution is to use an HSM such as the Nitrokey/Purism Librem Key (same thing) that has a LED that lights up if boot integrity is fine, including a TPM secret matching (maid can't clone that).

https://www.youtube.com/watch?v=O_3Xf3gTzEE

https://www.youtube.com/watch?v=K1O-33pi33M

https://www.youtube.com/watch?v=SB82Ul_A1js

discuss

rcthompson|4 years ago

This is essentially the same solution, right? It boils down to having a single device that verifies the integrity of everything and never letting that device out of your sight. It's just marginally easier to do that when the device in question is an HSM rather than a laptop.