@quixoticgeek But why? TPM backed FDE is pretty nice, and much more gnarly to set up by hand.

@dequbed snap is fucking awful.

And tying fde to Tpm means if your device fails you can't take the disk out, and put it in another device and access your data. Also the fact people seem to see TPM as a way of avoiding a password. Means that if you have the device you can just boot up and it decrypts.

@quixoticgeek It's still LUKS, isn't it? So you can still have a backup passphrase and I would assume the Ubuntu installer will default to making you add one.
And yes, TPM *is* a way to avoid a password and still do FDE, that's the upside of it. I seem to miss your point there?

@dequbed so with A TPM and FDE with no passphrase if I turn on the device it auto decrypts yes? With out any user input. Meaning I could decrypt your device just by turning it on ?

@quixoticgeek I mean yes, but FDE is only meant to protect you against offline attacks, i.e. if somebody steals or clones your hard drive they can't just edit your /etc/shadow and log in. That's still the case.

@dequbed yes. But if someone steals your device and the Tpm decrypts it automatically. That's not really much use. It's only encrypted at rest.

@quixoticgeek I mean if you steal my laptop you can turn it on and get to my login prompt. And then? That's not much help unless you also happen to be able to exploit sddm in a way that circumvents systemd-logind

@quixoticgeek And most importantly, that's the same situation as if you'd steal my laptop while it's turned on but locked. Which is IMHO much more likely ^^

@dequbed most likely is the device is left on a train... or it's stolen when off. The device isn't left powered on unattended

@quixoticgeek Hmm, sure. But then, again, you can only get as far as the login prompt. That's still really good, and if properly configured almost as safe as a password-based FDE is against almost all attack vectors (and theoretically better against some other ones)

@dequbed or any open network ports... or sniff the key off the SPI Comms to the Tpm...

Follow

@dequbed or if the boot process isn't locked down properly, boot init=/bin/sh and carry on...

@quixoticgeek The kernel command line can and should be fed into the PCR of the TPM which means that if you try to mount that attack then the TPM will be unable to give you the proper FDE key and you'll be looking at a LUKS prompt.

Sign in to participate in the conversation
(void *) social site

(void*)