(oddlama.org)

189 points arjvik | 2 comments | 17 Jan 25 03:00 UTC | HN request time: 0.417s | source

Show context

staff3203 ◴[17 Jan 25 05:22 UTC] No.42734355[source]▶

On my system, I used `tpm2-measure-pcr=yes` in `/etc/crypttab.initramfs`, then used `--tpm2-pcrs=0+2+7+15:sha256=0000000000000000000000000000000000000000000000000000000000000000` with `systemd-cryptenroll`.

As soon as a volume is decrypted, initrd will write `volume-key` to PCR 15, so any further executables can no longer access the data stored in the TPM.

replies(2): >>42735476 #>>42736760 #

1. usr1106 ◴[17 Jan 25 09:03 UTC] No.42735476[source]▶

>>42734355 #

Yes, that seems a good extra level of defense. Allow unsealing only once. We extend a PCR with random data.

replies(1): >>42736171 #

2. dist-epoch ◴[17 Jan 25 10:46 UTC] No.42736171[source]▶

>>42735476 (TP) #

This is what Bitlocker does. There was a recent article about it.

↑

Bypassing disk encryption on systems with automatic TPM2 unlock