I wanted bring this to someone’s attention, Ubuntu has started to add TPM 2.0 support to drive encryption. So you can now add a LUK’s encryption key + use TPM codes to lock your drive at install. Only bad thing is, somehow Snap is involved with this process.
Where I learned about this:
Is it possible someone can add this support at install for Garuda?
I had a serious incident a couple of years ago where very sensitive property was stolen from me by people who had no business being in the positions they are in life resulting in a home invasion. As as result, decades of highly advanced electromagnetic research was damaged and destroyed and as a result. This has set me back years behind schedual in my profession, I may never properly recover from this.
I’m sure I could have probably used a different version of Linux which may have been more accomidating security wise, however Garuda offers the best system performance that I have seen for how I go about my business in life. Therefore, where ever I get the chance to add additional security layers to Garuda is a serious asset.
I’m not expecting Garuda to go through many layers of pen testing, but where ever I can add improvements, I’m open for implamenting.
I don’t see any additional security benefits in this. On the contrary, I am dependent on another hardware component that has to function flawlessly, namely the TPM chip or the motherboard. And, of course, the associated software, including UEFI, must also function flawlessly at all times. In my opinion, it makes an already complex structure even more complex and increases the likelihood of errors.
Most modern (non-budget) PC hardware (and other kind of hardware too) nowadays comes with a TPM2 security chip. In many ways a TPM2 chip is a smartcard that is soldered onto the mainboard of your system. Unlike your usual USB-connected security tokens you thus cannot remove them from your PC, which means they address quite a different security scenario: they aren’t immediately comparable to a physical key you can take with you that unlocks some door, but they are a key you leave at the door, but that refuses to be turned by anyone but you.
Even though this sounds a lot weaker than the FIDO2/PKCS#11 model TPM2 still bring benefits for securing your systems: because the cryptographic key material stored in TPM2 devices cannot be extracted (at least that’s the theory), if you bind your hard disk encryption to it, it means attackers cannot just copy your disk and analyze it offline — they always need access to the TPM2 chip too to have a chance to acquire the necessary cryptographic keys. Thus, they can still steal your whole PC and analyze it, but they cannot just copy the disk without you noticing and analyze the copy.
Whether or not that is a scenario to be concerned about depends entirely on the individual person’s threat model.
Well, I did mention my situation to someone here that manages the forum in more detail before (but got removed over concerns of security based on the country you see me registered in), but to make a long story short (and to keep it appropriate for Garuda Forum usage)…my hard drives were one of the things that specific unmentionable people were after to begin with. Therefore, TPM use would have been helpful to me if it were available, it would have added another layer of inconvenience to unauthorized people which would have been used to further slow them down.
In my situation, the more time it took for unmentioned people to do what ever it is they needed to do with my information, the more it assisted me in getting out of the kind of trouble I somehow found myself in.
I once had a veteran friend tell me “if it’s inconvenient for you, it’s hell for someone else”
And this is nice, don’t get me wrong, but I find it a bit difficult to install and ensure that it is actually functioning, which is why I ask if it can be made into an option for using should a user select “Encrypt Drive” on the install of Garuda. It would also make it easier to get the TPM keys to place into KeePassXC should I need to access it in a nice fancy clean install window
This is why I wanted to see it as something optional not required. You make a valid point, don’t get me wrong, but if you don’t want to use it, then you simply don’t have to.
This is the opposite of that. Unlocking your encrypted hard drive with the TPM chip is basically the easiest, most convenient unlock method possible because you don’t even have to do anything. Just boot up your computer and the encryption is unlocked automatically.
Systemd is already installed. This feature is available since systemd 248. There is nothing difficult about it. You run two commands in the terminal and you are done.
You do not store TPM keys in KeePassXC, nor anywhere else. They are intended to be impossible to extract from the TPM chip. If you want to use KeePassXC to unlock your encrypted drive then use a complex passphrase instead.
Honestly, if additional security is your goal then a complex passphrase is the way to go anyway. Unlocking with TPM is basically the least secure possible unlock method; it only protects against a few very specific types of attacks.
What Ubuntu was offering was a passphrase was used to unlock the drive + the use of TPM together. So you still get having to put in a huge password and you have to use it with TPM complamenting that password.
Now, if you remove that drive and try to do things to it, it goes haywire on you when you put it back into the computer with that TPM module. Then you have to put in this huge key like Windows 11 asks you to do to decrypt the drive, but instead of Windows doing that, Ubuntu does that instead. This is why they give you a QR code at install that you are expected to write down somewhere to unlock the drive.
After looking through the link provided, I don’t know how you plug both LUKs key + TPM in the setup. From what it looks like its either Passphrase OR TPM not Passphrase AND TPM
Enroll a recovery key. Recovery keys are mostly identical to passphrases, but are computer-generated instead of being chosen by a human, and thus have a guaranteed high entropy. The key uses a character set that is easy to type in, and may be scanned off screen via a QR code.
Added in version 248.
It looks like Ubuntu made a GUI for it, which is nice I guess but this is not a new feature.
When enrolling a TPM2 device, controls whether to require the user to enter a PIN when unlocking the volume in addition to PCR binding, based on TPM2 policy authentication. Defaults to “no”. Despite being called PIN, any character can be used, not just numbers.