Skip to main content


One of the good inpact of #Microsoft is pushing a laptop #security features that can be benefited also by #Linux.
For example #TPM2 can securely unlock your encrypted root linux drive without entering a password every time.
🔑 📀 :linux:
skorpil.cz/en/project/42/mkini…
in reply to Štěpán Škorpil

how easy is it to turn off? Presumably you want to disable it before, say, shipping the laptop out or traveling with it
in reply to Michel Salim

Well, You can just (in the terminology of tpm2_tools) evict the persistent object, and tpm2 will no longer unseal the drive key.
in reply to Štěpán Škorpil

neat. I'm leaning towards not using FDE on my new installations unless mandated - hoping #Btrfs encryption will be ready soon - but I should probably try this with encrypted swap
in reply to Michel Salim

I like when a tool does one thing and does it well. And is standard so it can interoperate with other standard tools.
Encrypting in Luks, dividing volume using lvm, then storage ext. Especially in security where it is really hard to do it well.
in reply to Štěpán Škorpil

Honest question: When the Mainboard fails (say short circuit) - can I still take the SSD out and read it with another computer?
in reply to Herr Irrtum!

yes. Luks has 8 key slots. You can set one key to slot 1 and seal it by tpm and then have second access key in slot 2 for manual opening.
Actually you should do it this way, because if you update bios for example, tpm detects that bios was tampered with and does not unseal the key. In that situation it asks for a disk password during the boot. And you than need to reseal the key to tpm be able to unlock your drive again.
in reply to Štěpán Škorpil

Or if you mean the encryption it self, it is independent on mother board. You can just take the drive out, connect it to other computer and unlock it with command:
"cryptsetup open /dev/sdaX someName"
in reply to Štěpán Škorpil

thanks for the prompt explanation! Ah, it's Luks-based in the end. That makes sense, I'm familiar with the LUKS keyslot mechanism. Thanks again; the article is very well done 👍 !