Question About TPM Autodecrypt (mander.xyz)

submitted 1 year ago* (last edited 1 year ago) by baseless_discourse@mander.xyz to c/linux@lemmy.ml

19 comments fedilink hide all child comments

I have setup my fedora to use LUKS encryoted partitions. But entering two passwords gets quite tiring, as I shutdown my laptop quite often to get the benefit of LUKS (I am assuming nothing is encrypted when in suspend, please correctme if I am wrong)

I am thinking about setting up TPM autodecrypt. However, I was wondering does the decryption happen on boot or after I login?

If it happens on boot, then it seems like the benefit is pretty limited compare to a unencrypted drive. Since the attacker can simply boot my laptop and get the unecrypted drive.

Am I missing something here? I was wondering is there a way for me to enter my password once and unlock everything, from disk to gnome keyring?

you are viewing a single comment's thread
view the rest of the comments

[-] Frederic@beehaw.org 2 points 1 year ago* (last edited 1 year ago)

I have MX Linux setup with LUKS/btrfs and it was asking password on boot, so I put my key in TPM and modified /etc/crypttab to retrieve it, at least I don't have to enter it at any boot, but yeah it decrypts automatically, like Windows Bitlocker in fact, it still asks my user password login (my choice, no auto login here), but at boot you can break grub and have a root shell it you know how.

Other way is to put the luks key on a USB drive, when you leave home with your computer shutdown, take the USB key with you and that's it.

[-] hunger@programming.dev 2 points 1 year ago

The point of using the TPM is that it does not unlock the drive unless it has a certain set of software is loaded in a certain sequence on the machine with that specific TPM chip.

So if somebody breaks grub and makes it load a shell, then that results in different software loaded (or at least loaded in a different sequence) and will prevent the TPM to unlock the system. The same is true if somebody boots from a rescue disk (different software loaded) or when you try to unlock the disk in an unexpected phase of the boot process (same software but different sequence of things loaded, e.g. after boot up to send the key to some server on thr network. The key is locked to one TPM, so removing the drive and booting it in a different machine also does not work.

The TPM-locked disk is pretty secure, even more so than that USB idea of yours -- if the system you boot into is secure. It basically stops any attacker from bringing extra tools to help them in their attack. All they have available is what your system has installed. Do not use auto-login or run some root shell in some console somewhere...

this post was submitted on 27 Oct 2023

26 points (100.0% liked)

Linux

48033 readers

771 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
No misinformation
No NSFW content
No hate speech, bigotry, etc

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago

MODERATORS

nooter692@lemmy.ml

AgreeableLandscape@lemmy.ml

MarcellusDrum@lemmy.ml

cypherpunks@lemmy.ml

cyclohexane@lemmy.ml

d3Xt3r@lemmy.nz