Štěpán Škorpil

3 years ago

Štěpán Škorpil
3 years ago

One of the good inpact of #Microsoft is pushing a laptop #security features that can be benefited also by #Linux.
For example #TPM2 can securely unlock your encrypted root linux drive without entering a password every time.
🔑 📀

skorpil.cz/en/project/42/mkini…

Mkinitcpio tpm2 encrypt

All my personal and company computers are powered by Arch Linux with encrypted storages. This setup brings an inconvenience of entering two passwords on startup. One unlocks the storage encryption, second logs me to my user account.

^{Štěpán Škorpil}

in reply to Štěpán Škorpil

Michel Salim

in reply to Štěpán Škorpil 3 years ago

how easy is it to turn off? Presumably you want to disable it before, say, shipping the laptop out or traveling with it

in reply to Michel Salim

Štěpán Škorpil

in reply to Michel Salim 3 years ago

Well, You can just (in the terminology of tpm2_tools) evict the persistent object, and tpm2 will no longer unseal the drive key.

in reply to Štěpán Škorpil

Michel Salim

in reply to Štěpán Škorpil 3 years ago

neat. I'm leaning towards not using FDE on my new installations unless mandated - hoping #Btrfs encryption will be ready soon - but I should probably try this with encrypted swap

#btrfs

in reply to Michel Salim

Štěpán Škorpil

in reply to Michel Salim 3 years ago

I like when a tool does one thing and does it well. And is standard so it can interoperate with other standard tools.
Encrypting in Luks, dividing volume using lvm, then storage ext. Especially in security where it is really hard to do it well.

in reply to Štěpán Škorpil

Herr Irrtum!

in reply to Štěpán Škorpil 3 years ago

Honest question: When the Mainboard fails (say short circuit) - can I still take the SSD out and read it with another computer?

in reply to Herr Irrtum!

Štěpán Škorpil

in reply to Herr Irrtum! 3 years ago

yes. Luks has 8 key slots. You can set one key to slot 1 and seal it by tpm and then have second access key in slot 2 for manual opening.
Actually you should do it this way, because if you update bios for example, tpm detects that bios was tampered with and does not unseal the key. In that situation it asks for a disk password during the boot. And you than need to reseal the key to tpm be able to unlock your drive again.

in reply to Štěpán Škorpil

Štěpán Škorpil

in reply to Štěpán Škorpil 3 years ago

Or if you mean the encryption it self, it is independent on mother board. You can just take the drive out, connect it to other computer and unlock it with command:
"cryptsetup open /dev/sdaX someName"

in reply to Štěpán Škorpil

Herr Irrtum!

in reply to Štěpán Škorpil 3 years ago

thanks for the prompt explanation! Ah, it's Luks-based in the end. That makes sense, I'm familiar with the LUKS keyslot mechanism. Thanks again; the article is very well done 👍 !

⇧

Štěpán Škorpil 3 years ago • •

Štěpán Škorpil
3 years ago