top | item 33514673

(no title)

nutto | 3 years ago

BitLocker does this much better. With TPM+PIN mode, the TPM will only decrypt the volume master key if all the right hashes are in the platform configuration registers for the BIOS, option ROMs, MBR, filesystem headers and bootloader, and the user-specified PIN is correct. Or if you enter the 128-bit recovery key.

The BSDs and Linux have a lot of catching up to do.

discuss

anthk|3 years ago

>The BSDs and Linux have a lot of catching up to do.

Stop putting every BSD in the same basket.

Also, this is Unix, you can put encrypted slices/partitions with ease. You can omit to encrypt the system files and encrypt the data and config partitions.

But FDE avoids tampering.

orangepurple|3 years ago

So if your motherboard needs to be replaced you can't recover your data? Nice!

nijave|3 years ago

It's effectively just multiple key protectors. TPM+PIN is one way to protect the data encryption key. You can also backup the actual encryption key (which is the recovery key). You can also add a password that protects the key or back the key up to an online Microsoft account or enterprise Active Directory account.

nutto|3 years ago

No, you would use the recovery key in that scenario.