Full disk encryption with LUKS. Don't really see much point in a TPM for booting my personal device, although it definitely has use cases and I don't know what's backdoorsy about it.
this post was submitted on 25 Jun 2025
42 points (97.7% liked)
Ask Lemmy
32773 readers
2204 users here now
A Fediverse community for open-ended, thought provoking questions
Rules: (interactive)
1) Be nice and; have fun
Doxxing, trolling, sealioning, racism, and toxicity are not welcomed in AskLemmy. Remember what your mother said: if you can't say something nice, don't say anything at all. In addition, the site-wide Lemmy.world terms of service also apply here. Please familiarize yourself with them
2) All posts must end with a '?'
This is sort of like Jeopardy. Please phrase all post titles in the form of a proper question ending with ?
3) No spam
Please do not flood the community with nonsense. Actual suspected spammers will be banned on site. No astroturfing.
4) NSFW is okay, within reason
Just remember to tag posts with either a content warning or a [NSFW] tag. Overtly sexual posts are not allowed, please direct them to either !asklemmyafterdark@lemmy.world or !asklemmynsfw@lemmynsfw.com.
NSFW comments should be restricted to posts tagged [NSFW].
5) This is not a support community.
It is not a place for 'how do I?', type questions.
If you have any questions regarding the site itself or would like to report a community, please direct them to Lemmy.world Support or email info@lemmy.world. For other questions check our partnered communities list, or use the search function.
6) No US Politics.
Please don't post about current US Politics. If you need to do this, try !politicaldiscussion@lemmy.world or !askusa@discuss.online
Reminder: The terms of service apply here too.
Partnered Communities:
Logo design credit goes to: tubbadu
founded 2 years ago
MODERATORS
I use heads firmware, which seals an otp key in the tpm to let you verify the integrity of the firmware, which then uses your gpg pubkey written into the firmware to verify the integrity of the boot partition.
An open, self-controlled equivalent to secure boot that relies on the tpm and your own gpg key, instead of on vendor secure boot signing keys. Very cool project!
I don't use either of those. If I were to use anything I'd use Linux's LUKS disk encryption, but as others have said, I'd rather error on the side of data recovery if I lose the keys.
I just use LUKS and type a boot password like a fucking pioneer of computing!
Off. My system won't boot with it turned on. It just hangs at a black screen. From what I've been able to find out, it's due to unsigned video drivers.
I don't, because I have better control over my disks. With TPM, the keys are stored within the chip itself, and I won't be able to unlock it if I boot into another OS (re-installing, dual boot, etc). With password, while inconvenient, I know that I can always unlock it, ans the chance of locking myself out is negligible.
TPM being a backdoor doesn't seem likely to me. Worst case scenario, transparent mode is just as bad as unencrypted disk. Most of the time, it adds extra security, though you are at the risk of locking yourself out.
"TPM is a backdoor" was something that got bandied around during the Vista era psrtially by people not understanding and partially (imo) to muddy the waters.
Secure Boot was maligned as at the time only MS were allowed to sign for it, so it was just an anti-linux locker. Later, after much haranguing, they backpedaled and allowed Canonical and Redhat to sign things, much much later, we could self sign.
TPM was also maligned around the same since MS (allegedly) had aspersions to only allow signed software which would be encrypted so that 'bad actors' (the users themselves) couldn't change 'protected' (any) executables. I think the closest we've ever seen of that is Windows S.
To be fair, we see all these things (or similar) used in the mobile and console space used to do the shitty stuff we were afraid of.
It's weird this didn't get more pushback on mobile. Even the mainstream press was critical when Microsoft proposed it for PCs.
It was kind of the norm with phones. The shift from cellphone over feature phone to smartphone was gradual enough that outside of some enthusiasts nobody cared about running their own OS on one.
Nowadays I even wish I could run my own OS on my washing machine.
It had been the norm for phones, then Android came along and a much more PC-like level of capability became the norm for phones. SafetyNet didn't show up until five years later and it didn't get significant negative press.
The concept of secure boot and the TPM and BitLocker and all that stuff is somewhere between protection against hackers with hands on access to your system, protection against rootkits infecting the boot sector, protecting the average amateur end user from themselves doing something dumb, and keeping you in the Micro$haft ecosystem.
If you're fairly comfortable that none of these should be a significant risk to you, then I'd say disable it and do whatever you want with your own system without all the headaches.
None. I just install os and use it without any encryption and such. It's more important for me to be able to access data on device failure than encrypt it.
TPM isn't a backdoor but it's veey hackable for Linux. Unless it somehow got fixed.
I use full disk encryption with a password only for my root partition. Everything else is automatic.
Off, and integrated TPM's have been pwnd multiple ways for a while now
LUKS
This. Full disk encryption worked on Linux long before TPM, and works perfectly fine now still. TPM to me seems only additionally effective in a narrow range of "evil maid" attack scenarios where your (unencrypted, unsigned) bootloader is modified at rest, such as to steal your disk encryption key later. However A) I cannot afford to hire a maid, let alone one also skilled in editing Linux initramfs images and B) I don't see TPM evangelists check their keyboard USB cable for in-line hardware sniffers every single time they step away from their desk.
I use both. They work well and get out of my way, while adding security. Just make sure you use a distro that has those things working OOTB and you'll be fine.
On my own machines I don't use Secure Boot and FDE, on work machine I do.
My machines are old enough to not have that, so no. But, there are a lot of tpm implementations and I don't think they are backdoored in general. I know of some industry projects to use them in data centers. Otoh they often have vulnerabilities.
If I wanted a hardware token I'd use a dedicated one but that's just me.
TPM + secure boot on my laptop. TPM only on my desktop.
The TPM a backdoor, I guess it may be technically possible but it is highly unlikely. If you need a backdoor, the UEFI of a computer is a much more feasible option, especially with built in AMT firmware for remote management.