Originally posted by Jakobson
View Post
Announcement
Collapse
No announcement yet.
Ubuntu 23.10 Adding Experimental TPM-Backed Full Disk Encryption
Collapse
X
-
Originally posted by Jakobson View Post
The only drawback is the dependency on Snap. It may have made it more challenging to boot up with a self-compiled kernel. However, for the average user, this is a brilliant solution that makes enabling full-disk encryption as easy as using BitLocker on Windows.
RH-based distros have been supporting this out of the box since forever.
- Likes 3
Comment
-
Originally posted by anarki2 View PostNot at all, the TPM unlocks the disk upon boot automatically. There will be an additional passphrase that may be used in case of emergency, if that's what you mean.
From a security perspective, automatically unlocking disk encryption is equivalent to having automatic login without a password.
- Likes 3
Comment
-
Originally posted by anarki2 View Post
There's no hard Snap dependency, and it's not even new, it's been working for like 5 years now. All you had to do was to recompile tpm2-tools and Clevis.
RH-based distros have been supporting this out of the box since forever.
Namely, the bootloader (shim and GRUB) and kernel assets will be delivered as snap packages (via gadget and kernel snaps), as opposed to being delivered as Debian packages.
- Likes 1
Comment
-
Ah yes, now my UKI will have to unsquash before booting my system, exactly what I wanted (sarcasm)
Anyways, Canonical at this point should just come out and abandon "Ubuntu: the Debian fork" in favor of "SnapOS" that is what they really want to build. If they do that Snap is just going to end up as another package manager (that coincidentally plays nice working together with other package managers, like Nix) but I think its better than the hybrid monster they currently have.
- Likes 6
Comment
-
Originally posted by sarmad View PostWhat's the benefit of TPM? What does it provide over the traditional way of entering a password upon boot?
Passphrases/passwords chosen by people usually don't have very strong. Additional binding to HW improves security. Otherwise encrypted disk for example can be cloned and tried to brute-force by mush more faster supercomputers.
- Likes 4
Comment
-
I've been using the TPM on my Arch installations for several months now. systemd-cryptenroll makes it easy to enable, and the TPM will unlock the drive as long as there's no hardware change or BIOS update. In that case, you would just enter the LUKS password to boot and then re-associate the TPM with systemd-cryptenroll again.
- Likes 2
Comment
-
Originally posted by sarmad View PostWhat's the benefit of TPM? What does it provide over the traditional way of entering a password upon boot?
I think some people here are missing the nuance of the compromise being made: yes, it won't protect you from the CIA/FSB/SIS/etc, but since the disk is still encrypted it takes away the option of just slapping it in another system and taking the data. With TPM unlocking you have to find a software or hardware vulnerability to get access, which is typically well outside the competency of your local thief or police agency.
In regards to defending against CIA/FSB/SIS/etc ... obligatory xkcd
- Likes 9
Comment
Comment