alt Hacker NewsPersonally i would like a way to use TMP2 (with PIN) + password. (i.e. mode where PIN is derived from the password, but is also used to encrypt), so that i do not have to trust the TPM manufacturer.
Personally i would like a way to use TMP2 (with PIN) + password. (i.e. mode where PIN is derived from the password, but is also used to encrypt), so that i do not have to trust the TPM manufacturer.
This can be done. Not sure how on Windows/bitlocker but certainly with cryptenroll. Essentially you’d wrap this in your bootscript, though.
So password (or pin) encrypts passphrase, passphrase encrypts LUKS and goes to TPM, then you need to reverse the process for your init script (request password, decrypt passphrase, exchange with TPM to decrypt LUKS), but it depends on your appetite for planning that out.