top | item 38149914

(no title)

If you rely only on TPM for key storage, yes, the disk is unlocked automatically and any sufficiently broken userspace application you can get your hands on will let you access it. You can still combine TPM+passphrase/PIN though, at the cost of having to enter it at boot.

discuss

worksonmine|2 years ago

> at the cost of having to enter it at boot

Isn't this the entire point of full disk encryption? You mention cost, but what is even the benefit of encryption that's unlocked by just booting?

proto_lambda|2 years ago

With properly functioning secure boot and no bugs in the entire software stack, it doesn't matter if the disk is decrypted automatically, since you can't access the system without OS-level authentication. If you tried to replace system files to let you get in anyway, the secure boot measurements would no longer match up and the decryption fails entirely.

yowai|2 years ago

> You mention cost, but what is even the benefit of encryption that's unlocked by just booting?

Ideally, your login screen is secure and allows no bypasses into a shell or similar, so you cannot really access any files on the hard drive.

And if you modify some system files or boot another operating system to get around this, you are required to know the disk encryption password to get to them.