←back to thread

Bypassing disk encryption on systems with automatic TPM2 unlock

(oddlama.org)
189 points arjvik | 1 comments | 17 Jan 25 03:00 UTC | HN request time: 0s | source
Show context
acheong08 ◴[17 Jan 25 04:12 UTC] No.42733994[source]
I don't understand why anyone would use passwordless disk encryption. It just seems inherently vulnerable, especially with the threat model of physical compromise.

Entering a password on boot isn't even that much work

replies(19): >>42734012 #>>42734073 #>>42734132 #>>42734171 #>>42734304 #>>42734370 #>>42734375 #>>42734397 #>>42734516 #>>42734734 #>>42734841 #>>42734892 #>>42734925 #>>42735445 #>>42736160 #>>42739068 #>>42740673 #>>42741392 #>>42742256 #
1. michaelt ◴[17 Jan 25 10:44 UTC] No.42736160[source]
Imagine a big corporate workplace, where the infosec team wasn't comprised of freewheeling anarchic hacker types who've dedicated their career to mastering the intricacies of the Linux boot process, but instead by compliance folks who've dedicated their career to mastering the intricacies of global privacy laws and passing SOC2 compliance audits.

From their perspective, "Secure Boot" has the word "Secure" right in the name. And they've looked up details about the TPM - Microsoft says the TPM avoids systems being tampered with, and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned devices.

If you don't know the intricacies involved, that stuff all sounds great! So they put a line into the corporate IT policy that TPM use is mandatory.