[ratiolat]

I'm really interested in instructions which would enable storage encryption key to be stored in the TPM so Linux could have the similar user friendly flow as MacOS and Windows with Bitlocker has - boot up computer, storage is decrypted automatically so user only needs to know username and password. If storage is removed from computer or booted from "untrusted source", storage stays "locked".

Backup key, for recovery purposes, needs to be stored in a password vault/physical safe/some external system. The same as it is with MacOS Filevault/Microsoft Windows Bitlocker.

[WhyNotHugo]

Honestly, I think providing the disk decryption password during early boot is a lot safer.

If the TPM yields the decryption key, then the disk is mounted without the user being present, so any RUNTIME security hole can be exploited by the attacker (e.g.: USB exploits, etc).

The Mac/Windows model just seems less-safe (though more friendly for shared devices).

I would like a shared system though: where I provide half the key, and the TPM has the other half, so BOTH are necessary to decrypt the disk.

[michaelt]

Just keying in the password at boot is indeed more secure than using a TPM, when it comes to the threat of someone snatching your powered-off laptop.

But if you want full disk encryption for a server without the need to attend it in person to enter the password every time it restarts, you might feel the middling security a TPM provides is an improvement over not encrypting the disk at all.

Or if you issue a big fleet of laptops to forgetful users, and remote password reset is a must-have feature, the TPM is more secure than the user writing the password on a post-it note stuck to the laptop.

Or if you're making something like a TiVo where you want it to work without a password - while also locking down the device, even against the owner.

So TPMs are great if you're a big corporation!

[nuker]

> But if you want full disk encryption for a server without the need to attend it in person to enter the password every time it restarts … So TPMs are great if you're a big corporation!

Also great for personal NAS for example. But its bloody hard to implement on Linux/BSD at the moment

[WhyNotHugo]

> So TPMs are great if you're a big corporation!

Quite true. They're pretty bad if you're just a person.

[invokestatic]

Windows supports TPM+PIN which is what you describe.

[zer0-c00l]

This exists. https://wiki.archlinux.org/title/Trusted_Platform_Module#Dat...

[michaelmrose]

A useful flow for the overwhelmingly single user computers is to make FDE password and user account password the same and enable auto login. Basically at boot up the user is prompted for their password and when boot up completes they are automatically logged into their user account without further prompting.

For multi user systems one can tie login to mounting an encrypted home but of course you are still required to enter a password twice although in theory it seems like the information entered first could be retained and could be used to log in a user and complete the next step.

[rythie]

You so that with clevis: https://kowalski7cc.xyz/blog/luks2-tpm2-clevis-fedora31

You can also unlock using a tang server: https://www.networkshinobi.com/clevis-and-tang-network-bound...