top | item 46939588

(no title)

vbezhenar | 21 days ago

The benefit is to not type encryption password on every boot. TPM stores the encryption key and Secure Boot ensures that the system is not tampered.

That said, I think that it's better to use alternative approach. Use unencrypted signed system partition which presents login screen. After user typed their username and password, only user home gets decrypted. This scheme does not require TPM and only uses secure boot to ensure that system partition has not been altered. I think that macOS uses similar approach.

discuss

cookiengineer|21 days ago

This whole assumption that TPM is a secure way to store things is ridiculously faulty. It's an interceptable i2c bus, and there's multiple tools available since 0.9 that can recover keys from both cold RAM boot and from interception of the i2c bus.

If your laptop gets stolen, the thief also has your keys and can also decrypt the hard drive, which the TPM storage initially was supposed to have been invented for to actively prevent.

digiown|21 days ago

It is quite hard to do this safely on typical Linux systems, since there is a substantial amount of writable system data (e.g. syslog, /etc, /var). If unencrypted they will leak data, and if encrypted there is little difference from just encrypting the root.

hparadiz|21 days ago

You encrypt the entire partition with LUKS. Not individual folders and files.

ndsipa_pomu|21 days ago

A typical linux system will have everything in one partition and even if you do like to split up the system (for historical re-enactment?) it wouldn't matter as you'd be encrypting the whole disk anyway.

ab71e5|21 days ago

Kinda like how I have it set up in linux except the system partition is the uki and the user password is LUKS2 passphrase