this post was submitted on 20 Aug 2024
47 points (96.1% liked)
linux4noobs
1270 readers
1 users here now
linux4noobs
Noob Friendly, Expert Enabling
Whether you're a seasoned pro or the noobiest of noobs, you've found the right place for Linux support and information. With a dedication to supporting free and open source software, this community aims to ensure Linux fits your needs and works for you. From troubleshooting to tutorials, practical tips, news and more, all aspects of Linux are warmly welcomed. Join a community of like-minded enthusiasts and professionals driving Linux's ongoing evolution.
Seeking Support?
- Mention your Linux distro and relevant system details.
- Describe what you've tried so far.
- Share your solution even if you found it yourself.
- Do not delete your post. This allows other people to see possible solutions if they have a similar problem.
- Properly format any scripts, code, logs, or error messages.
- Be mindful to omit any sensitive information such as usernames, passwords, IP addresses, etc.
Community Rules
- Keep discussions respectful and amiable. This community is a space where individuals may freely inquire, exchange thoughts, express viewpoints, and extend help without encountering belittlement. We were all a noob at one point. Differing opinions and ideas is a normal part of discourse, but it must remain civil. Offenders will be warned and/or removed.
- Posts must be Linux oriented
- Spam or affiliate links will not be tolerated.
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
K, so I'm probably oversimplifying, but almost all distros should allow you to at least encrypt
/home
, and although I haven't tried it myself yet, whole-disk encryption via UEFI is possible. You say your threat model is only someone trying to unlock your device, but it sounds as if you're not worried about espionage - someone gaining access to your computer and replacing the/efi
boot process with something that will harvest your password when you log in. If all you're worried about is seizure and data protection, why isn't disk encryption sufficient?If you really feel like you need TPM, Arch supports it, which means other distros do, too. Although, figuring it out for, e.g., Ubuntu of something you'll have to research; the Arch wiki is the most fantastic source of Linux documentation on the web, and much (but not all) of it can help with other distros.
I may be completely misunderstanding what problem you're encountering, but (a) disk encryption is trivial to set up on both Mint and EndeavorOS installers (the two I've used most recently), and (b) TPM certainly seems possible from the Arch wiki.
Idk if FDE is enough, what if the attacker can modify the boot code to capture the decryption keys and other stored passwords ? as far as I know this is exactly what secure boot protects against, it checks the validity of the boot code using the TPM chip, if it's already there, why don't most distros use it ? instead you'll see that secure boot is greyed out in the Bios ( which means it's not supported )
and yes, I did lock down the Bios too, with a different password
Edit: I'll check EndevourOS documentation, Mint is cool but it doesn't adobt newer standards or newer kernels ( newer kernels are just much more secure )
I was going off what you said:
This doesn't sound to me as if you're concerned about espionage - repeated, covert, root access to your computer, for the purpose of installing software to capture your keys, so that they can steal your computer and have complete access. If someone has remote root access to your computer, you're fucked, TPM or not; they'll just read what they want whenever you're logged in and using your computer.
TPM is for when you might not have secured physical access to your computer. Like, you're worried the NSA is going to sneak into your house while you're out shopping, pull your HD, replace the boot loader, and re-install it before you get home.
If you're only worried about, say, losing a laptop, or a search & seizure at your house, an encrypted HD is good enough. TPM and a keylocked BIOS are belts-and-suspenders, but if they want to get at the data they'll just pull the HD and run code-breaking software on it on and entirely different super-computer. TPM won't help you at all in that case.
Honestly, TPM is for a specific threat mode, which is much more like ongoing espionage, than simple opportunity theft. Your stated use case sounds more like the latter than the former.
You make it sound so easy and doable, but the reality is that without meeting certain conditions such as the existence of the original TPM chip, a brute force attack will render the data irretrievable.. And even if I'm wrong in the last part, that would still be a pain in the butt for the attacker... and it'll buy me time... like you said ... belts-and-suspenders
Because i don't have second chances, which is why I wish there's way to erase everything by entering a key combination.. somehow.. Idk.. like Android has that..
That triggered a memory for me. Apparently certain SSD(Samsung I heard of, not sure about others) always encrypt your data in hardware with a random key, this is done transparently to the OS and is otherwise unremarkable.
What it archives though and afaik is intended for is the possibility of easily and quickly "erasing" the disk by just overwriting that encryption key a couple times, I don’t remember if that used a special tool or something but if that is useful to you it probably wouldn’t be hard to find more info on this.
Samsung is a reasonably trustworthy company, not from US/UK, not Chinese, so if they say they have a clean implementation of this I’d trust them. Would be kinda a national security issue for them if it wasn’t seeing how Samsung is everywhere in gov an private sector in Korea.