Skip to main content

One of the good inpact of #Microsoft is pushing a laptop #security features that can be benefited also by #Linux.
For example #TPM2 can securely unlock your encrypted root linux drive without entering a password every time.
🔑 📀 :linux:
skorpil.cz/en/project/42/mkini…

Mkinitcpio tpm2 encrypt

All my personal and company computers are powered by Arch Linux with encrypted storages. This setup brings an inconvenience of entering two passwords on startup. One unlocks the storage encryption, second logs me to my user account.
Štěpán Škorpil
#linux #security #microsoft #TPM2
in reply to Štěpán Škorpil

Michel Salim
Michel Salim
how easy is it to turn off? Presumably you want to disable it before, say, shipping the laptop out or traveling with it
in reply to Michel Salim

Štěpán Škorpil
Štěpán Škorpil
Well, You can just (in the terminology of tpm2_tools) evict the persistent object, and tpm2 will no longer unseal the drive key.
in reply to Štěpán Škorpil

Michel Salim
Michel Salim
neat. I'm leaning towards not using FDE on my new installations unless mandated - hoping #Btrfs encryption will be ready soon - but I should probably try this with encrypted swap
#btrfs
in reply to Michel Salim

Štěpán Škorpil
Štěpán Škorpil
I like when a tool does one thing and does it well. And is standard so it can interoperate with other standard tools.
Encrypting in Luks, dividing volume using lvm, then storage ext. Especially in security where it is really hard to do it well.
in reply to Štěpán Škorpil

Herr Irrtum!
Herr Irrtum!
Honest question: When the Mainboard fails (say short circuit) - can I still take the SSD out and read it with another computer?
in reply to Herr Irrtum!

Štěpán Škorpil
Štěpán Škorpil
yes. Luks has 8 key slots. You can set one key to slot 1 and seal it by tpm and then have second access key in slot 2 for manual opening.
Actually you should do it this way, because if you update bios for example, tpm detects that bios was tampered with and does not unseal the key. In that situation it asks for a disk password during the boot. And you than need to reseal the key to tpm be able to unlock your drive again.
in reply to Štěpán Škorpil

Štěpán Škorpil
Štěpán Škorpil
Or if you mean the encryption it self, it is independent on mother board. You can just take the drive out, connect it to other computer and unlock it with command:
"cryptsetup open /dev/sdaX someName"
in reply to Štěpán Škorpil

Herr Irrtum!
Herr Irrtum!
thanks for the prompt explanation! Ah, it's Luks-based in the end. That makes sense, I'm familiar with the LUKS keyslot mechanism. Thanks again; the article is very well done 👍 !