Announcement

**szymon_g** · 07 September 2023, 10:08 AM

so, will that be based on luks (or something else), or use ext4 (the default fs) features? couldn't the packages be reinstalled into the deb versions (assuming they exist)?

**Shnatsel** · 07 September 2023, 10:17 AM

I just hope they won't blunder in one of these incredibly embarrassing ways:

Mashing Enter to bypass full disk encryption with TPM, Clevis, dracut and systemd

https://pulsesecurity.co.nz/advisories/tpm-luks-bypass

This vulnerability allows a physically-present attacker to control the full disk encryption unlock process and gain complete access to decrypted content in some cases where a TPM, dracut and Clevis are used.

Bypassing Bitlocker using a cheap logic analyzer on a Lenovo laptop

https://www.errno.fr/BypassingBitlocker.html

**Danny3** · 07 September 2023, 10:26 AM

What's even the point of using encryption if you are going to use a backdoored hardware device?

**Jakobson** · 07 September 2023, 10:31 AM

Originally posted by Danny3 View Post

What's even the point of using encryption if you are going to use a backdoored hardware device?

Company security policy.

**Anux** · 07 September 2023, 10:39 AM

Originally posted by Jakobson View Post

Company security policy.

Yes, that is the sad truth. Do not use TPM if you don't want your data to be available to 3th persons.

**C8292** · 07 September 2023, 10:48 AM

Originally posted by Shnatsel View Post

I just hope they won't blunder in one of these incredibly embarrassing ways:

Mashing Enter to bypass full disk encryption with TPM, Clevis, dracut and systemd

https://pulsesecurity.co.nz/advisories/tpm-luks-bypass

This vulnerability allows a physically-present attacker to control the full disk encryption unlock process and gain complete access to decrypted content in some cases where a TPM, dracut and Clevis are used.

https://www.errno.fr/BypassingBitlocker.html

happily, fTPM is not affected!

Super happy with this! Finally having a ok-security is almost no user friction!

**Jakobson** · 07 September 2023, 10:48 AM

Originally posted by Anux View Post

Yes, that is the sad truth. Do not use TPM if you don't want your data to be available to 3th persons.

TPM does not compromise full-disk encryption. Instead, it serves as an additional layer that binds the master key of the disk to the TPM hardware, making offline decryption more challenging. Naturally, a passphrase must still be required.

**Jakobson** · 07 September 2023, 11:00 AM

Originally posted by C8292 View Post

Super happy with this! Finally having a ok-security is almost no user friction!

The only drawback is the dependency on Snap. It may have made it more challenging to boot up with a self-compiled kernel. However, for the average user, this is a brilliant solution that makes enabling full-disk encryption as easy as using BitLocker on Windows.

**anarki2** · 07 September 2023, 11:51 AM

Originally posted by Danny3 View Post

What's even the point of using encryption if you are going to use a backdoored hardware device?

The point is that it's not a "backdoored hardware device", only those who wear tinfoil hats think so. You also clearly don't have any idea how it works, the TPM merely provides a convenient way to unlock the disk, without having to resort to secondary passwords, or even worse, USB keys, that will sit permanently in the laptop's bag, or even in the USB port, ironically REDUCING security by having FDE.

Announcement

Ubuntu 23.10 Adding Experimental TPM-Backed Full Disk Encryption

Ubuntu 23.10 Adding Experimental TPM-Backed Full Disk Encryption

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment