Post 9wH5XOWRBFy82IcuIK by WhoNeedszZz@fosstodon.org
(DIR) More posts by WhoNeedszZz@fosstodon.org
(DIR) Post #9wH5BoLAVZwFjt40y8 by kev@fosstodon.org
2020-06-20T12:42:21Z
0 likes, 0 repeats
Question: I'm thinking about upgrading my desktop. If I get a motherboard with a TPM chip, will my distro still require a passphrase to decrypt the drive, or will it use the TPM to manage this for me?I'm using :ubuntu: based distros.Thanks!
(DIR) Post #9wH5PCQWGdOGCpx0Xg by rage@fosstodon.org
2020-06-20T12:44:39Z
0 likes, 0 repeats
@kev I don't have a TPM, but wouldn't you store the key file on it?
(DIR) Post #9wH5WSV0uOMq55Vx1U by rune@mastodon.nzoss.nz
2020-06-20T12:45:50Z
0 likes, 0 repeats
@kev using TPM with for example LUKS requires special configuration.It's been a few years since I looked into it (on RHEL). It was possible but it was kind of a hassle. Maybe it's easier now?
(DIR) Post #9wH5XOWRBFy82IcuIK by WhoNeedszZz@fosstodon.org
2020-06-20T12:46:17Z
0 likes, 0 repeats
@kev Avoid TPM! Flawed model!
(DIR) Post #9wH6YsV7J1cBG0HQgq by kev@fosstodon.org
2020-06-20T12:57:46Z
0 likes, 0 repeats
@rune urgh, I hope so. :(It's not a major hassle typing a passphrase on every boot, but it would be slicker is the OS made use of the hardware available.
(DIR) Post #9wH6uD2U8lod2K3kEy by kev@fosstodon.org
2020-06-20T13:01:31Z
0 likes, 0 repeats
@rage I'm no crypto expert, but as far as I understand it, it's more than just somewhere on the motherboard to store a key file.But ultimately yeah, the TPM would store keys.
(DIR) Post #9wH7GRv3UsFZYcBmc4 by ikt@fosstodon.org
2020-06-20T13:05:32Z
0 likes, 0 repeats
@kev how old is your desktop? TPM has been around for like 10 years now!
(DIR) Post #9wH8LJLGuj6iMFKkRk by ikt@fosstodon.org
2020-06-20T13:17:44Z
0 likes, 0 repeats
@kev how old is your desktop? TPM has been around for like 10 years now?
(DIR) Post #9wH9TNbR3ZAJqKIzjs by slp@fosstodon.org
2020-06-20T13:29:54Z
0 likes, 0 repeats
@kev On Fedora and RHEL-based distros, you can use "clevis" for that. I honestly don't know if other distros have imported this feature.
(DIR) Post #9wHAASRAxR1JHz314i by waglo@mastodon.fedi.quebec
2020-06-20T13:38:02Z
0 likes, 0 repeats
@kev Sorry, I can't help you. But when I hear TPM I can only think of https://www.youtube.com/watch?v=XgFbqSYdNK4
(DIR) Post #9wHAi4lRTpVXiKYczo by kev@fosstodon.org
2020-06-20T13:44:07Z
0 likes, 0 repeats
@sheogorath that's interesting, thanks for the info.Yeah, I know it's far more insecure to not have a passphrase, but it's only my personal device, so would still provide ample protection.
(DIR) Post #9wHAkINRq2JOVsOPku by kev@fosstodon.org
2020-06-20T13:44:36Z
0 likes, 0 repeats
@ikt it's about 7 years old and was a budget motherboard.
(DIR) Post #9wHAsGgK1gw3ZT1Sl6 by rune@mastodon.nzoss.nz
2020-06-20T13:45:54Z
0 likes, 0 repeats
@kev There's gotta be some improvement on it by now.Purism has been shipping TPM modules for a few years now and their OS is Debian based, so it should be transferable.
(DIR) Post #9wHBdBVb4ppj8bNTPc by rage@fosstodon.org
2020-06-20T13:54:36Z
0 likes, 0 repeats
@kev typically, I use a usb drive to keep my key file for dm-crypt.
(DIR) Post #9wHHjfGjwP2Gtstx9U by utahcon@fosstodon.org
2020-06-20T15:02:38Z
0 likes, 0 repeats
@kev is your desire to ensure your hardware hasn't changed, or that it's YOU starting the machine?
(DIR) Post #9wHKL4B4UhUAmADE8W by kev@fosstodon.org
2020-06-20T15:32:07Z
0 likes, 0 repeats
@utahcon neither. It’s purely because I’m lazy and I don’t want to put in a passphrase to decrypt the drive every time I boot.
(DIR) Post #9wHLBBRmi9esNdshGK by utahcon@fosstodon.org
2020-06-20T15:41:36Z
0 likes, 0 repeats
@kev then why encrypt it at all?
(DIR) Post #9wHM8AtuO051lsAIJk by kev@fosstodon.org
2020-06-20T15:52:13Z
0 likes, 0 repeats
@utahcon to protect the data on the drive.
(DIR) Post #9wHMxLtbGaAsdlQLrM by utahcon@fosstodon.org
2020-06-20T16:01:28Z
0 likes, 0 repeats
@kev which is more likely then, someone stealing the drive, or the whole machine? If they take the machine, with the TPM, and no password, nothing is safe. It only protects against the drive being removed from the machine.
(DIR) Post #9wHQrD6rQ5Y3TBxArA by kev@fosstodon.org
2020-06-20T16:45:10Z
0 likes, 0 repeats
@utahcon well no, because my user session will be protected by my OS password.Encrypting the drive prevents someone from taking the drive out and pulling my data. OS password protects my system from being booted and someone accessing my data.So with both enabled, I’m protected against both of your scenarios.
(DIR) Post #9wHVEPPgF1Be6c4cYi by utahcon@fosstodon.org
2020-06-20T17:34:11Z
0 likes, 0 repeats
@kev TPM only detects hardware changes. You can pair it with a removable piece (USB key) and consider that as a password for unlocking disk encryption. Disk encryption and OS have nothing to do with one another. I can take your LUKS encrypted drive, slap it in any another machine and if it's not passphrase protected, I have your data. TPM alone only ensures the hardware didn't change, doesn't accept encryption
(DIR) Post #9wHVWdoZR4WTz2PSEq by utahcon@fosstodon.org
2020-06-20T17:37:29Z
0 likes, 0 repeats
@kev TPM only detects hardware changes. You can pair it with a removable piece (USB key) and consider that as a password for unlocking disk encryption. Disk encryption and OS have nothing to do with one another. I can take your LUKS encrypted drive, slap it in any another machine and if it's not passphrase protected, I have your data. TPM alone only ensures the hardware didn't change, doesn't affept encryption
(DIR) Post #9wHVa6UpFrTho3pDoO by utahcon@fosstodon.org
2020-06-20T17:38:06Z
0 likes, 0 repeats
@kev TPM only detects hardware changes. You can pair it with a removable piece (USB key) and consider that as a password for unlocking disk encryption. Disk encryption and OS have nothing to do with one another. I can take your LUKS encrypted drive, slap it in any another machine and if it's not passphrase protected, I have your data. TPM alone only ensures the hardware didn't change, doesn't affect encryption. Also, TPM+Device makes it hard for your own recovery if hardware fails.
(DIR) Post #9wHpqjIFlXGVEYx86a by DragonLich@fosstodon.org
2020-06-20T21:24:48Z
0 likes, 0 repeats
@kev @utahcon ```Encrypting the drive prevents someone from taking the drive out and pulling my data. OS password protects my system from being booted and someone accessing my data.```If by OS password you mean user password than no. It's pretty easy to change user password if you can boot the system. It's great to block from the remote access or if you can't reset the machine (LUKS) but not as a protection from someone holding your data.
(DIR) Post #9wHpuqekKhm3EARC4G by DragonLich@fosstodon.org
2020-06-20T21:25:59Z
0 likes, 0 repeats
@kev @utahcon ```Encrypting the drive prevents someone from taking the drive out and pulling my data. OS password protects my system from being booted and someone accessing my data.```If by OS password you mean user password than no. It's pretty easy to change user password if you can boot the system. It's great to block from the remote access or if you can't aceess the machine (LUKS) but not as a protection from someone holding your data.
(DIR) Post #9wKxy8a69asOKW8cbo by teatime@fosstodon.org
2020-06-22T09:39:53Z
0 likes, 0 repeats
@kev If you are like me and just hate the idea of typing 2 passwords when cold booting, try this: https://help.ubuntu.com/stable/ubuntu-help/user-autologin.html.en. At least then I only type the encryption password to boot, which to me feels waaaay better and much the same as having a TPM like me old Windows surface pro did.
(DIR) Post #9wL0Cny7GzH8eYUh6m by kev@fosstodon.org
2020-06-22T10:05:06Z
0 likes, 0 repeats
@teatime hmm never thought of it that way around.I assume for things like SUDO commands, it still asks for a password?
(DIR) Post #9wL0XzD4foOzbAagDI by teatime@fosstodon.org
2020-06-22T10:08:54Z
0 likes, 0 repeats
@kev Yep, you still enter the password for everything else like screen lock, login after logging out, sudo etc. It only bypasses the first login after boot.
(DIR) Post #9wL1UQAsZsMy1WQaI4 by kev@fosstodon.org
2020-06-22T10:19:32Z
0 likes, 0 repeats
@teatime that might be the solution. Thanks!