←back to thread

Bypassing disk encryption on systems with automatic TPM2 unlock

(oddlama.org)
189 points arjvik | 1 comments | 17 Jan 25 03:00 UTC | HN request time: 0s | source
Show context
acheong08 ◴[17 Jan 25 04:12 UTC] No.42733994[source]
I don't understand why anyone would use passwordless disk encryption. It just seems inherently vulnerable, especially with the threat model of physical compromise.

Entering a password on boot isn't even that much work

replies(19): >>42734012 #>>42734073 #>>42734132 #>>42734171 #>>42734304 #>>42734370 #>>42734375 #>>42734397 #>>42734516 #>>42734734 #>>42734841 #>>42734892 #>>42734925 #>>42735445 #>>42736160 #>>42739068 #>>42740673 #>>42741392 #>>42742256 #
AzzyHN ◴[17 Jan 25 17:20 UTC] No.42740673[source]
I believe with software-based encryption (LUKS and the like), the decryption key ends up being stored in RAM, which will always present a risk.

And TPM-based solutions don't have this problem. Could be wrong though.

replies(1): >>42740831 #
1. kevincox ◴[17 Jan 25 17:30 UTC] No.42740831[source]
I think most TPM based solutions still use software encryption. Most TPMs don't have the bandwidth to actually decrypt all disk data as it is read. (I think Apple devices do actually do something like this, but I don't think it is common.)

I believe when using TPM with LUKS the TPM just decrypts the master key and that is handed back to the OS and used in software. So the primary key does end up in RAM.