(oddlama.org)

189 points arjvik | 3 comments | 17 Jan 25 03:00 UTC | HN request time: 1.516s | source

1. mateusz834 ◴[17 Jan 25 11:06 UTC] No.42736293[source]▶

Personally i would like a way to use TMP2 (with PIN) + password. (i.e. mode where PIN is derived from the password, but is also used to encrypt), so that i do not have to trust the TPM manufacturer.

replies(1): >>42736366 #

2. highwaylights ◴[17 Jan 25 11:17 UTC] No.42736366[source]▶

>>42736293 (TP) #

This can be done. Not sure how on Windows/bitlocker but certainly with cryptenroll. Essentially you’d wrap this in your bootscript, though.

So password (or pin) encrypts passphrase, passphrase encrypts LUKS and goes to TPM, then you need to reverse the process for your init script (request password, decrypt passphrase, exchange with TPM to decrypt LUKS), but it depends on your appetite for planning that out.

replies(1): >>42736505 #

3. mateusz834 ◴[17 Jan 25 11:39 UTC] No.42736505[source]▶

>>42736366 #

Wouldn't this work with some kind of PKDF instead?

Like: Password ---> PKDF ---> PIN

And then Password XOR (Key from TPM) -> LUKS

But i guess this kind of logic is not for a bootscript, but for tools like systemcd-cryptenroll.

↑

Bypassing disk encryption on systems with automatic TPM2 unlock