@quixoticgeek But why? TPM backed FDE is pretty nice, and much more gnarly to set up by hand.

@dequbed snap is fucking awful.

And tying fde to Tpm means if your device fails you can't take the disk out, and put it in another device and access your data. Also the fact people seem to see TPM as a way of avoiding a password. Means that if you have the device you can just boot up and it decrypts.

@quixoticgeek It's still LUKS, isn't it? So you can still have a backup passphrase and I would assume the Ubuntu installer will default to making you add one.
And yes, TPM *is* a way to avoid a password and still do FDE, that's the upside of it. I seem to miss your point there?

@dequbed so with A TPM and FDE with no passphrase if I turn on the device it auto decrypts yes? With out any user input. Meaning I could decrypt your device just by turning it on ?

@quixoticgeek I mean yes, but FDE is only meant to protect you against offline attacks, i.e. if somebody steals or clones your hard drive they can't just edit your /etc/shadow and log in. That's still the case.

@dequbed yes. But if someone steals your device and the Tpm decrypts it automatically. That's not really much use. It's only encrypted at rest.

@quixoticgeek @dequbed
The link covers that. You can also have a decrypt password if you choose, in addition to (or not) the TPM backed encryption.

@quixoticgeek @dequbed
Eh that's threat model dependant. For me, probably not. For my work stuff, maybe. I'd want to consult with security. But I imagine this is acceptable to them at it's how, afaik, the Mac and Windows stuff behaves too. Right now it's vulnerable to evil maid attacks.

Sign in to participate in the conversation
(void *) social site

(void*)