You are not logged in.
- Topics: Active | Unanswered
#1 2021-10-19 06:49:21
- beroal
- Member
- From: Ukraine
- Registered: 2009-06-07
- Posts: 359
- Website
Does the `sd-encrypt` hook support PIN for encrypted disks?
I mean the feature in Windows BitLocker. Since I don't use Windows, I can describe it only superficially. When a computer is booted, a user types in a PIN into their OS. Only if the typed PIN is correct, the OS uses the Trusted Platform Module (TPM) to decrypt the root file system. So no secret data allowing to decrypt the root file system leaves TPM if the PIN is incorrect. This feature prevents a cold boot attack and many other hardware attacks as states in “BitLocker Countermeasures”. I wonder whether it's possible to implement such a feature on Linux.
we are not condemned to write ugly code
Offline
#2 2021-10-19 13:32:27
- Alad
- Wiki Admin/IRC Op
- From: Bagelstan
- Registered: 2014-05-04
- Posts: 2,418
- Website
Re: Does the `sd-encrypt` hook support PIN for encrypted disks?
https://wiki.archlinux.org/title/Truste … _with_LUKS ?
edit: nevermind, I missed the PIN part.
Last edited by Alad (2021-10-19 17:13:00)
Mods are just community members who have the occasionally necessary option to move threads around and edit posts. -- Trilby
Offline
#3 2021-10-19 15:00:42
- sabroad
- Member
- Registered: 2015-05-24
- Posts: 242
Re: Does the `sd-encrypt` hook support PIN for encrypted disks?
Only if the typed PIN is correct, the OS uses the Trusted Platform Module (TPM) to decrypt the root file system.
TPM+PIN is not yet supported by systemd/cryptsetup.
That said, it's arguably better(TM) in Linux to use TPM for root filesystem and FIDO2+PIN for user homes.
Last edited by sabroad (2021-10-19 15:00:54)
--
saint_abroad
Offline