this post was submitted on 24 Feb 2024
99 points (77.7% liked)
Linux
48329 readers
1418 users here now
From Wikipedia, the free encyclopedia
Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).
Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.
Rules
- Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
- No misinformation
- No NSFW content
- No hate speech, bigotry, etc
Related Communities
Community icon by Alpár-Etele Méder, licensed under CC BY 3.0
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
I'm also a linux noob, but I thought having to unlock the encryption before getting to the actual account was part of the point. If the encryption is always already unlocked it's easier to break in.
Then how come Windows and MacOS don't require two different PWs?
They give up some security by gaining convenience and slightly better UX.
I can't vet Apple's security, but TPM isn't a silver bullet either.
https://hacky.solutions/blog/2024/02/tpm-attack
Yeah I don't need a silver bullet I'm not storing highly sensitive data, I just mistakenly assumed this would be easier.
Great to hear. TPM is totally usable if your threat model can tolerate the risk. Sadly Linux is a bit lacking support for TPM in FDE. You can try the Nitrokey with GPG method without pin I wrote in the other thread if you hit the wall. Good luck!
Here's a guide if you want FDE with TPM: https://blastrock.github.io/fde-tpm-sb.html
Linux works fine with the TPM, systemd even includes it as a feature (although Ubuntu patches it out, Fedora does not). Takes two commands to enable it, although you can get very into the weeds like that guide does if you are concerned about real bad actors instead of common thieves.
That I doesn't know Ubuntu patches it out.
The decision had to do with not having unified kernel images or something, essentially the decision that it couldn’t be done securely enough so they didn’t allow it at all even if you understand the risks. I don’t agree with the philosophy.
The next LTS should have official support in the installer (experimental in 23.10), and with signed binaries that will increase security substantially. Unfortunately it depends on snap.
You keep bringing that up. Those are different systems with different approaches to security. You can compare them to death and back and it won't bring your system to where you want it.
People have come to you with suggestions to achieve what you want and explained the consequences. Try that instead.