| HN Mirror

Y	Hacker News new \| ask \| show \| jobs


	by josephcsible 1505 days ago
	Ordinary full-disk encryption protects against that just fine, though.

2 comments

naikrovek 1505 days ago

not without requiring PIN entry upon boot.

TPMs are external to the CPU and traffic to and from them can be intercepted and used to decrypt the disk.

there was an article on that exact situation a few weeks ago, right here on HN.

https://news.ycombinator.com/item?id=29258879

link

josephcsible 1504 days ago

I meant ordinary full-disk encryption with a regular passphrase and no TPM in the picture at all.

link

astrange 1504 days ago

Typical AES-XTS full disk encryption is not safe enough for the laptop case; it’s not authenticated and someone can edit encrypted files.

File-based encryption (like the one T2 and later Macs use) is safest.

link

welterde 1504 days ago

While that is true, I cannot think of a real world scenario where it is relevant, since I don't think you can actually produce a specific plain text, but only corrupt certain sectors.

And in case it is a real issue one can use ZFS or btrfs as the file system to ensure data integrity.

link