Comment by mateusz834

Comment by mateusz834 21 hours ago

2 replies

View on Hacker News

Personally i would like a way to use TMP2 (with PIN) + password. (i.e. mode where PIN is derived from the password, but is also used to encrypt), so that i do not have to trust the TPM manufacturer.

highwaylights 21 hours ago

This can be done. Not sure how on Windows/bitlocker but certainly with cryptenroll. Essentially you’d wrap this in your bootscript, though.

So password (or pin) encrypts passphrase, passphrase encrypts LUKS and goes to TPM, then you need to reverse the process for your init script (request password, decrypt passphrase, exchange with TPM to decrypt LUKS), but it depends on your appetite for planning that out.

Reply View 1 reply
  • mateusz834 20 hours ago

    Wouldn't this work with some kind of PKDF instead?

    Like: Password ---> PKDF ---> PIN

    And then Password XOR (Key from TPM) -> LUKS

    But i guess this kind of logic is not for a bootscript, but for tools like systemcd-cryptenroll.

    Reply View 0 replies