Can we have full disk encryption

frankjunior · October 14, 2023, 7:12am

Can we have full disk encryption using tpm just like what ubuntu has done it will solve many previous issues that were stopping us from having full disk encryption like forgetting password and so on. And it will give a hugh amount of safety like if the device got stolen.
I think we have a discussion going some months ago but we did not come to a conclusion but as new and new methods are comming like what we see in ubuntu 23.10 disk encryption using tpm2.

This can be a opt in feature for new installs.
Having full disk encryption does not make system slow

dwaris · October 14, 2023, 11:26am

Hi, this method is not new, it’s just not adding much.
Luks full disk encryption can be enabled in the installer already.
Now why it’s not adding much?

If your device got stolen, it simply boots.
If something in the boot process has changed, it will ask for the password, like Bitlocker asks for it, after an grub update.
The security of tpm in general is questionable.

It does make brute force attacks against the luks password harder, especially for bad/short ones but nobody will try that anyway.
It’s just adding to much unnecessary complexity, especially for data recovery, etc…

If you still want it: https://fedoramagazine.org/automatically-decrypt-your-disk-using-tpm2/

mattdm · October 14, 2023, 7:26pm

Famous last words when it comes to security.

dwaris · October 14, 2023, 9:05pm

This is simply not a possible attack vector, not even for a state actor.
You can’t crack a good LUKS password with Argon2 hashing! Argon2 even prevents GPU accelerated attacks. If someone is stupid enough to try it nevertheless, he probably has the backdoor for the TPM (proprietary black box btw). Full disk encryption on its own IS secure.
You could even argue that adding TPM reduces security because we know nothing about it.
What likely will happen instead, if your encrypted laptop gets stolen: wipe and eBay.

zestygrass · October 15, 2023, 12:31am

You make some good points @dwaris
I think there fair compromises between security and ease of use.
Every time I do encrypted install for someone, they get annoyed with having to type two passwords to use their computer. At the very least, tmp unlock will make data encrypted at rest, this going to raise minimum bar of security.

frankjunior · October 15, 2023, 6:00am

This issue can easily solved with unlock using tpm
But if someone wants the oldschool luks in that case they can simply use this but having a option maybe opt in by default which will encrypt disk using tpm so users don’t need to use multiple password and unlock layer by layer…

zestygrass · October 15, 2023, 7:20am

Yes, tpm unlocking will be helpful.
Would really love for fedora to add this option in their new installer in the future.

steiner · October 15, 2023, 10:45am

Also, if people are afraid of their PC booting automatically there’s an option in systemd-cryptenroll that could be implemented there, where instead of asking for your LUKS password it asks for a PIN, which is much simpler to remember while still using the TPM as an extra layer of security. I’ve been wanting to see TPM2 at least as an option in Anaconda for years now.

zestygrass · October 16, 2023, 5:26am

I like the idea of a PIN, but it might introduce a false sense of security if the PIN is an important date in their life. Regardless, security is an exercise of acceptable compromises and functionality.

New installer was pushed back a release, there is a chance we might see TPM unlocking soon, now that ubuntu added it.