Originally posted by User42
View Post
The way password+TPM is currently implemented by systemd-cryptenroll is worse than password alone. It's not days, weeks or months. It's 3 hours.
Note the linked paper, and the money quotes:
After having gained experience with the attack, we are able to perform the full attack on a new device within two to three hours.
An FDE tool that does not implement a TPM and PIN strategy with a defense-in-depth approach is the open-source tool systemd-cryptenroll. The systemd-cryptenroll tool is part of the widely adopted systemd project and acts as a management tool for encrypted disks conforming to the popular LUKS standard [44], [45]. Support for TPM based protections has only been introduced recently and includes a TPM-only and a TPM and PIN strategy [21], [41]. Our analysis of the systemd-cryptenroll code shows that a randomly generated 256 bit secret is directly sealed by the TPM, protected either by a PCR policy only or additionally a PIN. The so-called LUKS keyslot (analogous to BitLocker’s VMK) is then encrypted with the base64-encoded secret as passphrase.
Once the NV state is decrypted, the LUKS key is directly accessible and no brute-forcing is necessary.
Once the NV state is decrypted, the LUKS key is directly accessible and no brute-forcing is necessary.
Leave a comment: