You still have a scenario where the encryption key is still on your physical device, LUKS with or without TPM, or … some kind of TPM based Linux encryption solution I have never heard of?
Does Windows Secure Boot work on Linux via the TPM?
No…
Am I missing something?
Theres no point in involving TPM in securing a linux computer.
In a scenario where you’ve physically lost your computer, using TPM or not it wont matter if your pc gets into the hands of someone who can attempt to brute force the keys.
If your pc is remotely compromised to the point it has something on it that can grab your keys, it also will not matter if you are using TPM in some way.
The only practical use of full disk encryption is if your linux pc and or laptop gets stolen and falls into the hands of a non tech savvy person, and in that scenario, going through the trouble of correctly binding LUKS to TPM will have just been a waste of time.
Thus, you should probably just use LUKS and not bother routing it through TPM.
This person asked if they can make PopOS secure via TPM.
I am saying that while yes, you can, there isnt much point, because setting up LUKS to work with TPM is inconvenient, easy to fuck up, and basically offers no additional protection against all but extremely implausible security scenarios for basically everyone other than bladed server room admins worried about corporate espionage who are for some reason running bare metal PopOS on their server racks.
Like the only actual use case I can see for this is /maybe/ having a LUKS encrypted portable backup drive, but even then you can still base the encryption key in the actual main pc’s harddrive without using tpm, though at /that and only that point/ are we approaching parity between the difficulty of using or not using tpm to accomplish this.
I think it even increases the security by not asking for the passphrase. Because the moment it asks, you know your machine has been tampered with and that you should be alert.
You don’t seem to understand how TPM works at all. You cannot extract keys from the TPM, it provides protection against any attack that involves removing the hard drive from the computer it is installed in. This is not like storing an encryption key on a USB drive, as you seem to think. I recommend you actually do some reading on TPM before you attempt to talk with any authority. I don’t personally think it’s a great solution (for me, at least), but not for any of the reasons you’ve listed in your comments.
LUKS encrypted portable backup drive
You can’t use TPM-based encryption on a portable drive, that isn’t even possible. That’s exactly the point of TPM to begin with. You know, the whole Trusted Platform Module? That exists to ensure your hard drive (or whatever other use you have for the TPM) cannot boot or be read by any machine other than the one it was set up with. That’s the entire premise of establishing a root of trust. What are you on about?
deleted by creator
Ok… so… if you have TPM… and LUKS…
You still have a scenario where the encryption key is still on your physical device, LUKS with or without TPM, or … some kind of TPM based Linux encryption solution I have never heard of?
Does Windows Secure Boot work on Linux via the TPM?
No…
Am I missing something?
Theres no point in involving TPM in securing a linux computer.
In a scenario where you’ve physically lost your computer, using TPM or not it wont matter if your pc gets into the hands of someone who can attempt to brute force the keys.
If your pc is remotely compromised to the point it has something on it that can grab your keys, it also will not matter if you are using TPM in some way.
The only practical use of full disk encryption is if your linux pc and or laptop gets stolen and falls into the hands of a non tech savvy person, and in that scenario, going through the trouble of correctly binding LUKS to TPM will have just been a waste of time.
Thus, you should probably just use LUKS and not bother routing it through TPM.
deleted by creator
This person asked if they can make PopOS secure via TPM.
I am saying that while yes, you can, there isnt much point, because setting up LUKS to work with TPM is inconvenient, easy to fuck up, and basically offers no additional protection against all but extremely implausible security scenarios for basically everyone other than bladed server room admins worried about corporate espionage who are for some reason running bare metal PopOS on their server racks.
Like the only actual use case I can see for this is /maybe/ having a LUKS encrypted portable backup drive, but even then you can still base the encryption key in the actual main pc’s harddrive without using tpm, though at /that and only that point/ are we approaching parity between the difficulty of using or not using tpm to accomplish this.
deleted by creator
I think it even increases the security by not asking for the passphrase. Because the moment it asks, you know your machine has been tampered with and that you should be alert.
You don’t seem to understand how TPM works at all. You cannot extract keys from the TPM, it provides protection against any attack that involves removing the hard drive from the computer it is installed in. This is not like storing an encryption key on a USB drive, as you seem to think. I recommend you actually do some reading on TPM before you attempt to talk with any authority. I don’t personally think it’s a great solution (for me, at least), but not for any of the reasons you’ve listed in your comments.
You can’t use TPM-based encryption on a portable drive, that isn’t even possible. That’s exactly the point of TPM to begin with. You know, the whole Trusted Platform Module? That exists to ensure your hard drive (or whatever other use you have for the TPM) cannot boot or be read by any machine other than the one it was set up with. That’s the entire premise of establishing a root of trust. What are you on about?
Please, read about how TPM works.