alt Hacker NewsThis is great if you only have a single disk, but if you have multiple encrypted disks that are unlocked in the initrd this way, then if you can gain control flow by faking data on the last decrypted disk you can still gain access to all the previously unlocked partitions.
Of course you cannot unseal the secret from the TPM anymore.
Replies
staff3203 • yesterday at 7:36 PM
What to do for a single root fs spanned over 2 encrypted partitions on 2 separate disks?
If you have tpm encryption on your boot disk, then you can simply store decryption keys for your otyer disks on it.