[SchemaLoad]

They will unlock in to a password protected system. Unless the junkie who stole your server has an unpatched debian login bug, this won't be much use to them. If they remove the drive or attempt to boot off a USB, the drive is unreadable.

[PunchyHamster]

Plenty of TPM bugs happened in the past and plenty of zero days in any code involved will happen.

Having key off-machine mitigates a lot of that.

> Unless the junkie who stole your server has an unpatched debian login bug,

the key for disk decryption is in memory at that point. There are methods to take it out of it

[danparsonson]

What's the difference when booting off a USB drive? That's been my goto in the past when I forgot my login password; does the TPM only unlock boot devices?

[NekkoDroid]

Generally you'll have your drive only unlock against certain PCRs and their values. It depends on which PCRs you select and then how exactly they are measured.

E.g. systemd measures basically everything that is part of the boot process (kernel, kernel cli, initrd, ...[1]) into different PCRs, so if any of those are different they result in differen PCR values and won't unlock the boot device (depending on which PCRs you decided to encrypt against). I forgot what excatly it measures, but I remember that some PCRs also get measured during the switch_root operation from initrd -> rootfs which can be used to make something only unlock in the initrd.

[1]: https://systemd.io/TPM2_PCR_MEASUREMENTS/

[SchemaLoad]

The TPM holds the decryption keys and will unlock as long as all checks pass. Booting off the previously registered drive/kernel being one of them.

If this fails you can always manually input the decryption key and reregister with the TPM. The whole point of this setup is you can't just use a bootable USB to reset the devices password.

[vel0city]

If properly configured and the TPM implementation is good, no it shouldn't unlock the drive. Changing boot devices, and depending on how configured even changing boot options, can prevent the TPM from releasing the key and require a recovery key.

[gorgoiler]

Don’t you just hit ESC during boot and change the Linux command line to init=/bin/sh?

[izacus]

TPM will not unseal the key if you change kernel parameters. It's one of the PCRs.

You'll be dropped into "enter disk crypt password please" prompt.

[Gigachad]

Looks like you can either password protect grub or have the kernel start command part of the list of things the TPM checks before unlocking the key.