99
Linux Now Disabling TPM Bus Encryption By Default For Performance Reasons
(www.phoronix.com)
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 10 Oct 2025
99 points (100.0% liked)
Linux
11046 readers
563 users here now
A community for everything relating to the GNU/Linux operating system (except the memes!)
Also, check out:
Original icon base courtesy of lewing@isc.tamu.edu and The GIMP
founded 2 years ago
MODERATORS
If you use TPM for signing, that is not an issue most of the time. But if you store decryption keys for a storage device there that's not a good idea.
Where would you store it then?
Preferably in your brain and maybe partially in a smart card protected by a pin?
Yes, currently I'm using my brain for that and was thinking a security key such as Yubikey with touch requirement + PIN. But at least on Linux there is no support for that, or is it?
Edit: Ha, there actually is - https://mhdez.com/posts/unlocking-encrypted-linux-with-a-yubikey/
AFAIK there is. But even if not, it simulates a keyboard which can input your passphrase. Also modification of the initrd is a matter of providing a bash script or binary to launch which returns the passphrase in the crypttab file and adding it to the correct directory.
From what I read so far, hardware key is just another way to decrypting, not the required. So it's just a convenient method to avoid typing a (long) password and instead just few PIN chars. So, if somebody gets hold of password, can still decrypt the disk even without the hardware key. Not perfect, but still better than only password.
another encrypted medium