(keith.github.io)

507 points ingve | 2 comments | 18 Sep 25 20:15 UTC | HN request time: 0.408s | source

Show context

pfexec ◴[18 Sep 25 21:37 UTC] No.45295315[source]▶

Friendly reminder that you've been able to automatically unlock fully-encrypted Linux systems via TPM for years since it was added to systemd...

(Here's a nickel kid...)

replies(7): >>45295330 #>>45295407 #>>45295507 #>>45295760 #>>45295936 #>>45299627 #>>45311400 #

xrisk ◴[18 Sep 25 21:56 UTC] No.45295507[source]▶

>>45295315 #

This is not the same thing is it? Arch Wiki mentions something about having to install a separate ssh server into initramfs to support ssh’ing into fully encrypted systems.

systemd-cryptenroll seems to be about storing encryption keys into the TPM so that they can be decrypted automatically at boot (?)

Apologies if I misunderstood something.

replies(2): >>45295907 #>>45296423 #

conradev ◴[18 Sep 25 23:51 UTC] No.45296423[source]▶

>>45295507 #

and I imagine that the initramfs is not encrypted and trivially modifiable?

Apple is able to achieve this securely because their devices are not fully encrypted. They can authenticate/sign the unencrypted system partition.

replies(1): >>45296761 #

1. klooney ◴[19 Sep 25 00:51 UTC] No.45296761[source]▶

>>45296423 #

https://mastodon.social/@pid_eins/113404099228886304

You auth the initrd too

replies(1): >>45297153 #

2. conradev ◴[19 Sep 25 01:53 UTC] No.45297153[source]▶

>>45296761 (TP) #

This is super cool, thanks for the link! I’m glad they were able to leverage the TPM

↑

Apple: SSH and FileVault