Currently, the website has a section that mentions that an advantage native OS encryption has over veracrypt is that they can work with TPM. I’m still pretty new to this, but from my limited understanding among the TPM related advantages, one would be being able to boot without having to always input the passphrase (like how it works by default for Bitlocker).
LUKS however doesn’t seem to do this at first glance and from further reading it seems like it requires some extra config (that may vary depending on the distro?).
Much like how there’s an extra Bitlocker section that explains how to set it up on Windows Home, I’d be nice to have a guide on how to set up LUKS with TPM since its kinda mentioned already.
This is half a site development post and half a question because like I said, I’m just starting to use Linux and I’m kinda puzzled on how to do this.
Its funny to see the faces of your colleagues when they boot up your laptop and you are immeadiately greeted with a password prompt.
I mean TPM is convenient but it certainly feels like you actually lose some security when your drives are still attached to the laptop where the thieves/government agents/spies/bad people will find it first attached to.
TPM can still require a PIN or password, the main reason for using it is that it can be rate limited by the hardware or not provide access if certain measurements have changed.
It can but no distribution sets this up automatically. It can be done using the systemd-cryptenroll command. The main issue is it’s still missing some things but they are making progress in that direction. See this post from Lennart Poettering:
One of my systems I have kind of got it to work with a setup similar to this:
Then you’ll need to build your own initramfs with TPM support. I have only done this on arch and fedora silverblue.
One of the things you’ll find is that secureboot will now be required (disabling it will mean TPM is inaccessible) and you need recovery key.
The other thing is that if there is bootloader update you may find you need the recovery key, otherwise you won’t be able to login easily. It’s also really only worth doing if you’re using a UEFI unified kernel image that is signed.
It’s certainly not mainstream and requires a custom setup that is quite fragile, particularly when moving from one version to the next.
Not sure about Fedora’s timeframe or commitment to this, I’ve heard the idea floated, but not seen much discussion.
OpenSUSE has alluded to wanting to do some things with the TPM and MicroOS but it sounded more like an aspirational goal to be considered down the road than something concrete and definite on the roadmap.
This is all I've read about OpenSUSE and TPM2 (click to expand)
Richard Brown mentioned where they want to go as far as modern encryption, TPM stuff, and a bunch of other stuff I barely understood so let’s just say it’s on their radar and I hope to see a blog post from them in the future!
So I tried to install Ubuntu 23.10 with TPM on bare metal but the option is greyed out. I do not know if this need a proper TPM chip moduke that you plug into the motherboard internal header (AFAIK my mobo does not have it, just the fTPM variety).
replace the password below with your actual password? Also replacing the /dev/nvmeXXXXX with the correct partition with the LUKS encryption?
does this mean I need to rebuild the kernel with TPM support each update?
you know what I think I’ll just watch a YT video on this youtube is ripe for the taking with if you will make a guide to install with LUKS and TPM i cant seem to find a guide and my googlefu is failing me
oh… snapd seems to be involved in TPM… I was planning to manually gut it… so it seems like a no-go to me.
Side tangent rant: also i cant seem to be able to do what I want to do in ubuntu as time goes by from version to version… wth is going on?!?
Whereas in arch (when using dracut) we need to add the module:
add_dracutmodules+=" tpm2-tss "
Pacman has hooks to rebuild the initramfs when a new kernel is, installed and rpm-ostree. Not sure about apt or ubuntu as I don’t use them.
The problem is there is no real “standard” way of doing this, and it does vary depending on distribution. We’ve refrained from making specific guides until a more universal solution exists, particular in regard to UKI (most distributions including ubuntu do not do unified kernel images) which means little security is gained as initramfs isn’t signed anyway.
I think this would depend on the threat model and the context within which you are using the TPM (and of course how you are using it since the TPM can be used in various ways).
The question should not be whether using the TPM is good or bad for security. The question should be whether making use of the TPM is meaningfully worse, better, or neutral in the context you would be using it or not using it.
You can exclude “0” from th PCR value to prevent having to set it up again. 7 & 14 should be the minimum values that you should include to keep a balance . Which is what even the man page of systemd-cryptenroll suggests.
I was easily able to setup this up on fedora currently. I have to test it when some major updates arrive.
Though having to enter the Luks passphrase once in a while isn’t that a bad thing. It takes just one command to activate it again.
I really hope these distributions make this more easier to setup in future. And eventually it becomes a part of normal installer.
Most of the devices like Android ,iphones windows are encrypted by default nowadays , so it only makes sense for linux tp encrypt by default as well.
I was surprised though much of the linux community didn’t bother to encrypt their drives. Possibly due to this double password requirement.
Even though the current TPM integration might not be the safest , but it still feels worth using it.