One of the good inpact of is pushing a laptop features that can be benefited also by .
For example can securely unlock your encrypted root linux drive without entering a password every time.
🔑 📀 :linux:

@stepan how easy is it to turn off? Presumably you want to disable it before, say, shipping the laptop out or traveling with it

@michel_slm Well, You can just (in the terminology of tpm2_tools) evict the persistent object, and tpm2 will no longer unseal the drive key.

@stepan neat. I'm leaning towards not using FDE on my new installations unless mandated - hoping #Btrfs encryption will be ready soon - but I should probably try this with encrypted swap

@michel_slm I like when a tool does one thing and does it well. And is standard so it can interoperate with other standard tools.
Encrypting in Luks, dividing volume using lvm, then storage ext. Especially in security where it is really hard to do it well.

Honest question: When the Mainboard fails (say short circuit) - can I still take the SSD out and read it with another computer?

@Herr_Irrtum yes. Luks has 8 key slots. You can set one key to slot 1 and seal it by tpm and then have second access key in slot 2 for manual opening.
Actually you should do it this way, because if you update bios for example, tpm detects that bios was tampered with and does not unseal the key. In that situation it asks for a disk password during the boot. And you than need to reseal the key to tpm be able to unlock your drive again.

@Herr_Irrtum Or if you mean the encryption it self, it is independent on mother board. You can just take the drive out, connect it to other computer and unlock it with command:
"cryptsetup open /dev/sdaX someName"

@stepan thanks for the prompt explanation! Ah, it's Luks-based in the end. That makes sense, I'm familiar with the LUKS keyslot mechanism. Thanks again; the article is very well done 👍 !

Sign in to participate in the conversation
Škorpil's Mastodon

Štěpán Škorpil's personal Mastodon server - instance of federated social network