undefined | Better HN

0 pointsvlovich1232y ago0 comments

You would still use the TPM to verify the software chain. But don’t use the TPM to Auto unlock disks. That’s the part that feels like a bad idea

0 comments

zamalek2y ago

The issue is that data disks and system disks get conflated. For the system disk (anything outside of /home) you generally only care about signing - which FDE does as a side-effect. Each user should have their own disk/partition/subvolume with a distinct key that is retrieved from the PAM.

This achieves two things: I know that I am typing my password into the OS that I or a trusted third party compiled (not one planted by a hacker), and my home directory gets decrypted as part of my normal login routine.

j / k navigate · click thread line to collapse

0 pointsvlovich1232y ago0 comments

You would still use the TPM to verify the software chain. But don’t use the TPM to Auto unlock disks. That’s the part that feels like a bad idea

0 comments

zamalek2y ago

j / k navigate · click thread line to collapse