@stepan how easy is it to turn off? Presumably you want to disable it before, say, shipping the laptop out or traveling with it
@michel_slm Well, You can just (in the terminology of tpm2_tools) evict the persistent object, and tpm2 will no longer unseal the drive key.
@michel_slm I like when a tool does one thing and does it well. And is standard so it can interoperate with other standard tools.
Encrypting in Luks, dividing volume using lvm, then storage ext. Especially in security where it is really hard to do it well.
Honest question: When the Mainboard fails (say short circuit) - can I still take the SSD out and read it with another computer?
@Herr_Irrtum yes. Luks has 8 key slots. You can set one key to slot 1 and seal it by tpm and then have second access key in slot 2 for manual opening.
Actually you should do it this way, because if you update bios for example, tpm detects that bios was tampered with and does not unseal the key. In that situation it asks for a disk password during the boot. And you than need to reseal the key to tpm be able to unlock your drive again.
@Herr_Irrtum Or if you mean the encryption it self, it is independent on mother board. You can just take the drive out, connect it to other computer and unlock it with command:
"cryptsetup open /dev/sdaX someName"
@stepan thanks for the prompt explanation! Ah, it's Luks-based in the end. That makes sense, I'm familiar with the LUKS keyslot mechanism. Thanks again; the article is very well done 👍 !
Štěpán Škorpil's personal Mastodon server - instance of federated social network