this post was submitted on 10 Oct 2025
98 points (100.0% liked)

Linux

9892 readers
769 users here now

A community for everything relating to the GNU/Linux operating system (except the memes!)

Also, check out:

Original icon base courtesy of lewing@isc.tamu.edu and The GIMP

founded 2 years ago
MODERATORS
Ategon@programming.dev
anzo@programming.dev
dwraf_of_ignorance@programming.dev
98
Linux Now Disabling TPM Bus Encryption By Default For Performance Reasons (www.phoronix.com)
submitted 2 weeks ago by cm0002@lemmy.zip to c/linux@programming.dev
22 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] Nomad@infosec.pub 6 points 2 weeks ago (1 children)

Preferably in your brain and maybe partially in a smart card protected by a pin?

[–] Mihies@programming.dev 4 points 2 weeks ago* (last edited 2 weeks ago) (1 children)

Yes, currently I'm using my brain for that and was thinking a security key such as Yubikey with touch requirement + PIN. But at least on Linux there is no support for that, or is it?

Edit: Ha, there actually is - https://mhdez.com/posts/unlocking-encrypted-linux-with-a-yubikey/

[–] Nomad@infosec.pub 2 points 2 weeks ago (1 children)

AFAIK there is. But even if not, it simulates a keyboard which can input your passphrase. Also modification of the initrd is a matter of providing a bash script or binary to launch which returns the passphrase in the crypttab file and adding it to the correct directory.

[–] Mihies@programming.dev 2 points 2 weeks ago

From what I read so far, hardware key is just another way to decrypting, not the required. So it's just a convenient method to avoid typing a (long) password and instead just few PIN chars. So, if somebody gets hold of password, can still decrypt the disk even without the hardware key. Not perfect, but still better than only password.