I’m curious about the possible uses of the hardware Trusted Protection Module for automatic login or transfer encryption. I’m not really looking to solve anything or pry. I’m just curious about the use cases as I’m exploring network attached storage and to a lesser extent self hosting. I see a lot of places where public private keys are generated and wonder why I don’t see people mention generating the public key from TPM where the private key is never accessible at all.
You must log in or # to comment.
I use it for Data-at-rest Encryption. Not much else though.
The problem with this is that the key would be “machine based” and not “person”
So it’s better for “service accounts”
I use it for storing luks credentials, so every time I boot I get dropped at my login manager. It leaves my system vunerable to attacks to it, but its quite convenient.
Besides, if anyone tries to boot any other OS which is not mine, the keys are erased.
Can you explain a bit on how the key erasure works? AFAIK TPM only refuse to release the key when certain PCR dont match, is there a setting to let it erase key?
https://fedoramagazine.org/automatically-decrypt-your-disk-using-tpm2/
I’ve read this article to make my setup, but its very informative about the function of TPM too
I have read that article, it doesn’t seem to mention that TPM will erase key if a different OS is loaded, maybe I missed something?
It talsk about pcr, every time another OS is booted some pcsrs are changed, and if the keys are installed on the correct ones, this will lead to it being erased
A security module or a key fob/smart card processes the key internally using its own dedicated ram and cpu without any debugging support. This way, even something will full ram and cpu access or a compromise of your machine, there is no way to export or access the key. Data is passed to the module and it returns the scrambled or unscrambled result based on the key which no body knows or has ever seen. A key locked with no way to access can’t be hacked without physically stealing the module, which is where your pin comes in to save you. The TPM is a very important part of a secure boot chain. If you want to secure other things I wouldn’t blame you for using a separate module or fob that isn’t always connected util it’s actually needed and it should only be activated with a physical button or something so you have to be present to engage with it. This adds even more security. So you could use the TPM for boot chain security and a separate fob or data privacy for example.
It scares me. What if the chip dies? How am I gonna be able to get my stuff? I don’t fully understand how it works, but where is the encryption saved? On the chip itself or somewhere else?
What if the chip dies? How am I gonna be able to get my stuff?
You can have backup keys, but if you don’t have that then your data is gone.
I don’t fully understand how it works, but where is the encryption saved? On the chip itself or somewhere else?
Encryption key is stored in the TPM chip.
Ok this is scary. Lol Unless you have those backup keys then it’s a bit better.
Outside of Microsoft and Windows, what’s the application for it? Does Linux or UNIX have much use for TPM? Pardon, my ignorance, but I bet this is a good place to ask!
Hardware accelerated disk encryption if I’m not mistaken
deleted by creator
i use it to auto unlock luks. if someone messed with the hardware/ bios, it will ask for the password next boot.
