Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
hparadiz 3 hours ago

Yea I was looking at this for work. We require full disk encryption for all operating systems but linux is the one where it's a passphrase or a yubikey. In my personal life it would just make managing my PC more annoying. Imagine a motherboard failure and boom there goes my entire disk.

vladvasiliu an hour ago | parent | next [-]

You can have automatic unlock with tpm2, with or without a pin, in addition to passphrase, file, fido2, pkcs#11 cert, or whatever else is supported by luks.

I've been using this for a few years now, and never had an issue.

https://wiki.archlinux.org/title/Systemd-cryptenroll

> Imagine a motherboard failure and boom there goes my entire disk.

You can also set a long-ass key in addition to the other methods, and back it up somewhere safe. It works the same as bitlocker: you have key which can decrypt the drive without external help from a TPM in case something goes wrong.

jacquesm 3 hours ago | parent | prev | next [-]

Yubikeys are very useful. I was pointed to them by a colleague and was a bit skeptical in the beginning but since then I am more than happy to use them, absolutely flawless execution. The only thing that I am a bit concerned about is that it isn't the key that I place on the device that governs all this so you can't be 100% sure that there isn't some kind of supply chain trick that would allow the manufacturer or one or more of their employees to create duplicate keys.

plagiarist 2 hours ago | parent [-]

With Linux I think you do have the option of encrypting with your own cert using the PCKS#11 module on the Yubikey.

jacquesm 2 hours ago | parent [-]

That's interesting, thank you, I will definitely look into this.

Terr_ 3 hours ago | parent | prev [-]

> Imagine a motherboard failure

Hold up, I'm no expert on Secure Boot, but LUKS allows you to have multiple entry keys to the same drive.

This means you can have one key of random gobbledegook which is kept and auto-used by the magic motherboard, and also a passphrase that you can memorize or write down, and either one is totally sufficient on its own.

You don't even need to set them up at the same time, you can start with one and then add the other as an option later.

hparadiz 3 hours ago | parent [-]

Secureboot is something else. It verifies the boot loader at the BIOS. This can be broken by the system itself (like if it's hacked). So it's protecting you against modifications to the boot loader. This is where kernel modules can be injected.

TPM 2.0 is something else. It's typically soldered onto the motherboard as a physical device and the key can be generated and then used to encrypt the disk. The private key can not be extracted. Only the signature and you can ask the TPM to sign a binary blob with the private key while providing you the public key to verify. This protects you against physical access to your device. No one can take your disk and decrypt it.

Terr_ 2 hours ago | parent [-]

> the key can be generated and then used to encrypt the disk

Right, you can't recover or copy that specific key, but you also don't have to for accessing your data, if you set up some redundancy before disaster struck.

AFAIK: 99% of your storage is encrypted by a giant fixed unchanging master-key, and that is itself encrypted again with a non-master key/LS or passphrase, which is stored in the remaining "LUKS header". There's room to store multiple copies of the same master-key encrypted with different non-master options.

In that model, the TPM is simply providing (in a convoluted way) its own passphrase for one of those co-equal slots, so having one or more alternates prepared is sufficient to protect your drive from motherboard failure.