←back to thread

Bypassing disk encryption on systems with automatic TPM2 unlock

(oddlama.org)
189 points arjvik | 2 comments | 17 Jan 25 03:00 UTC | HN request time: 0.424s | source
Show context
acheong08 ◴[17 Jan 25 04:12 UTC] No.42733994[source]
I don't understand why anyone would use passwordless disk encryption. It just seems inherently vulnerable, especially with the threat model of physical compromise.

Entering a password on boot isn't even that much work

replies(19): >>42734012 #>>42734073 #>>42734132 #>>42734171 #>>42734304 #>>42734370 #>>42734375 #>>42734397 #>>42734516 #>>42734734 #>>42734841 #>>42734892 #>>42734925 #>>42735445 #>>42736160 #>>42739068 #>>42740673 #>>42741392 #>>42742256 #
Hakkin ◴[17 Jan 25 04:36 UTC] No.42734132[source]
If a disk is encrypted, you don't have to worry about the contents if you eventually have to RMA or dispose of the disk. For this use case, it makes no difference how the encryption key is input.
replies(2): >>42734927 #>>42735538 #
1. tommiegannert ◴[17 Jan 25 07:19 UTC] No.42734927[source]
I'd guess the most common scenario is for someone giving away the entire computer, not fiddle with components. Or theft of the full machine.

This feels like one of those half-security measures that makes it feel like you're safe, but it's mostly marketing, making you believe *this* device can be both safe and easy to use.

replies(1): >>42745440 #
2. lukeschlather ◴[18 Jan 25 03:06 UTC] No.42745440[source]
It's pretty fast to destroy all the keys in a TPM. Should take a minute if you know the right place to go. Meanwhile securely deleting a normal drive requires overwriting every sector with random data, which could take hours. So it also helps if you're giving away the whole machine.