←back to thread

Bypassing disk encryption on systems with automatic TPM2 unlock

(oddlama.org)
212 points arjvik | 4 comments | 17 Jan 25 03:00 UTC | HN request time: 0.831s | source
Show context
acheong08 ◴[17 Jan 25 04:12 UTC] No.42733994[source]
I don't understand why anyone would use passwordless disk encryption. It just seems inherently vulnerable, especially with the threat model of physical compromise.

Entering a password on boot isn't even that much work

replies(20): >>42734012 #>>42734073 #>>42734132 #>>42734171 #>>42734304 #>>42734370 #>>42734375 #>>42734397 #>>42734516 #>>42734734 #>>42734841 #>>42734892 #>>42734925 #>>42735445 #>>42736160 #>>42739068 #>>42740673 #>>42741392 #>>42742256 #>>42749423 #
1. udev4096 ◴[17 Jan 25 05:59 UTC] No.42734516[source]
It's just not practical. How are you going to manually enter the password for let's say 10 servers?
replies(1): >>42734848 #
2. johnisgood ◴[17 Jan 25 07:00 UTC] No.42734848[source]
USB pendrive with random key, no need to enter anything and is more secure and gives you plausible deniability through many different means.
replies(1): >>42735351 #
3. cedilla ◴[17 Jan 25 08:43 UTC] No.42735351[source]
Going around 10 servers with a USB drive sounds just as tedious, and what happens when you lose the key or the attacker gets it?
replies(1): >>42750140 #
4. johnisgood ◴[18 Jan 25 18:11 UTC] No.42750140{3}[source]
You generate a new one and replace it. Those what ifs apply to passwords as well.

It might sound tedious for 10 servers, but passwords are even more so.

For desktop, it is definitely the way.