You are not logged in.

#1 2021-10-19 06:49:21

beroal
Member
From: Ukraine
Registered: 2009-06-07
Posts: 318
Website

Does the `sd-encrypt` hook support PIN for encrypted disks?

I mean the feature in Windows BitLocker. Since I don't use Windows, I can describe it only superficially. When a computer is booted, a user types in a PIN into their OS. Only if the typed PIN is correct, the OS uses the Trusted Platform Module (TPM) to decrypt the root file system. So no secret data allowing to decrypt the root file system leaves TPM if the PIN is incorrect. This feature prevents a cold boot attack and many other hardware attacks as states in “BitLocker Countermeasures”. I wonder whether it's possible to implement such a feature on Linux.


we are not condemned to write ugly code

Offline

#2 2021-10-19 13:32:27

Alad
Wiki Admin/IRC Op
From: Bagelstan
Registered: 2014-05-04
Posts: 2,236
Website

Re: Does the `sd-encrypt` hook support PIN for encrypted disks?

https://wiki.archlinux.org/title/Truste … _with_LUKS ?

edit: nevermind, I missed the PIN part.

Last edited by Alad (2021-10-19 17:13:00)


Mods are just community members who have the occasionally necessary option to move threads around and edit posts. -- Trilby

Offline

#3 2021-10-19 15:00:42

sabroad
Member
Registered: 2015-05-24
Posts: 223

Re: Does the `sd-encrypt` hook support PIN for encrypted disks?

beroal wrote:

Only if the typed PIN is correct, the OS uses the Trusted Platform Module (TPM) to decrypt the root file system.

TPM+PIN is not yet supported by systemd/cryptsetup.

That said, it's arguably better(TM) in Linux to use TPM for root filesystem and FIDO2+PIN for user homes.

Last edited by sabroad (2021-10-19 15:00:54)


--
saint_abroad

Offline

Board footer

Powered by FluxBB