(keith.github.io)

507 points ingve | 1 comments | 18 Sep 25 20:15 UTC | HN request time: 0s | source

Show context

pfexec ◴[18 Sep 25 21:37 UTC] No.45295315[source]▶

Friendly reminder that you've been able to automatically unlock fully-encrypted Linux systems via TPM for years since it was added to systemd...

(Here's a nickel kid...)

replies(7): >>45295330 #>>45295407 #>>45295507 #>>45295760 #>>45295936 #>>45299627 #>>45311400 #

rnhmjoj ◴[18 Sep 25 21:45 UTC] No.45295407[source]▶

>>45295315 #

Also possible without a TPM: you just put openssh into the initrd, so you can log in and type the password to unlock the root.

(It's technically not full-disk encryption because the kernel and initrd are in plaintext, but everything else is)

replies(1): >>45295435 #

pfexec ◴[18 Sep 25 21:48 UTC] No.45295435[source]▶

>>45295407 #

What do you authenticate against? Your shadow file is in the unencrypted area leaving it susceptible to offline attack.

With the TPM you can fully disable password auth over SSH.

replies(2): >>45295467 #>>45299124 #

1. rnhmjoj ◴[18 Sep 25 21:52 UTC] No.45295467[source]▶

>>45295435 #

Correct, someone with physical access could run a MitM attack and steal your passphrase. I just find this extremely unlikely, so I honestly don't care.

↑

Apple: SSH and FileVault