And tying fde to Tpm means if your device fails you can't take the disk out, and put it in another device and access your data. Also the fact people seem to see TPM as a way of avoiding a password. Means that if you have the device you can just boot up and it decrypts.
@quixoticgeek It's still LUKS, isn't it? So you can still have a backup passphrase and I would assume the Ubuntu installer will default to making you add one.
And yes, TPM is a way to avoid a password and still do FDE, that's the upside of it. I seem to miss your point there?
@dequbed so with A TPM and FDE with no passphrase if I turn on the device it auto decrypts yes? With out any user input. Meaning I could decrypt your device just by turning it on ?
@quixoticgeek I mean yes, but FDE is only meant to protect you against offline attacks, i.e. if somebody steals or clones your hard drive they can't just edit your /etc/shadow and log in. That's still the case.
@quixoticgeek@dequbed
Eh that's threat model dependant. For me, probably not. For my work stuff, maybe. I'd want to consult with security. But I imagine this is acceptable to them at it's how, afaik, the Mac and Windows stuff behaves too. Right now it's vulnerable to evil maid attacks.
@quixoticgeek I mean if you steal my laptop you can turn it on and get to my login prompt. And then? That's not much help unless you also happen to be able to exploit sddm in a way that circumvents systemd-logind
@quixoticgeek And most importantly, that's the same situation as if you'd steal my laptop while it's turned on but locked. Which is IMHO much more likely ^^
@quixoticgeek Hmm, sure. But then, again, you can only get as far as the login prompt. That's still really good, and if properly configured almost as safe as a password-based FDE is against almost all attack vectors (and theoretically better against some other ones)
@quixoticgeek The kernel command line can and should be fed into the PCR of the TPM which means that if you try to mount that attack then the TPM will be unable to give you the proper FDE key and you'll be looking at a LUKS prompt.
@quixoticgeek Sniffing the TPM key is a valid attack vector for old TPMs, but takes a rather sophisticated/determined attacker and is also entirely prevented by parameter encryption as TPM 2.0 provides. And an open network port isn't automatically an exploitable program behind it, e.g. up-to-date OpenSSH is pretty hard to break ^^
@quixoticgeek To expand on the determined/sophisticated attacker part: It's very much a valid attack! But most people that use Ubuntu don't have enemies that care enough to mount that attack because the contents of our computers simply aren't that interesting. With a passphrase having a camera quietly recording your keyboard is also a valid attack vector, but similarly not worth the hassle for most. For those who need to be that careful you're right the default isn't enough. But it never was.
@dequbed I think it encourages bad behaviour, and gives a false sense of security. If someone has access to the hardware and there's no password. Then the fde is not going to do anything but slow things down.
@quixoticgeek Hmm, I don't see the bad behaviour part, and I'm unconvinced about the false sense of security it gives. It changes the attack surface certainly, but I trust my login manager so I don't see this as a meaningful downgrade in security.
@dequbed or I could just use a passphrase for my disk encryption... sure I have to type it in every time I boot. But shit happens. Right now I have to type two passphrases to boot my laptop, then another password to login.
@quixoticgeek Oh yes, none of this is an advice for you specifically, I'm sorry if it read as that! If you want to use passphrase-based FDE absolutely more power to you. It just sounded like you had a problem with Ubuntu adding the option of a TPM-backed FDE into it's installer and I wanted to know what your issues with it were in that case ^^
Add comment