Can i get some context please? My fedora install wasn’t using TPM, i had to manually configure it; i haven’t noticed any difference in boot speed with or without TPM encryption
I want to have data-at-rest encryption, so that the only password i need to insert is my user one, this allows me to not have to type passwords multiple times. If i had the regular encryption password i would have to enable autologin in SDDM, which would do away with the encryption on kdewallet and all my credentials.
Plus i also enable secureboot, and use fedora kinoite, so that i is hard to tamper with my boot stuff without my TPM wiping itself off my encryption password, this gives me a very Bitlocker-like setup, but without the shittiness of having my encryption keys linked to microsoft’s terrible encryption system and user accounts, i can actually control my stuff like this. For a laptop, i must say data-at-rest encryption is a must!
This setup gives me multiple security layers; took my laptop off me -> booted my laptop, faced with user password -> tried to boot another OS, TPM wiped itself, no more encryption key -> computer now asks for encryption password, has to find a way around LVM2 encryption -> LVM2 encryption (somehow) defeated they must now crack my user password, or have to (try) to decrypt my credentials on the file system itself; after all these convoluted and extremely hard steps i think we can agree this person really deserves to have access to my cool wallpapers
Yeah, i know; EUFI computers really suck, turning away the script kiddies and most people that would steal this computer from my data is is the most i can with this thing
Fedora 41 is now the ‘wait 45 seconds every boot because you don’t have a tpm chip’ version.
Can i get some context please? My fedora install wasn’t using TPM, i had to manually configure it; i haven’t noticed any difference in boot speed with or without TPM encryption
Probably only affects a small number of AMD machines.
so if it probably affects only a small number of specific hw platforms, you cannot state fedora as “now wait 40 seconds” distro.
i’m also not using the tmd chip, no issues.
Why wouldn’t you just use a password?
I want to have data-at-rest encryption, so that the only password i need to insert is my user one, this allows me to not have to type passwords multiple times. If i had the regular encryption password i would have to enable autologin in SDDM, which would do away with the encryption on kdewallet and all my credentials.
Plus i also enable secureboot, and use fedora kinoite, so that i is hard to tamper with my boot stuff without my TPM wiping itself off my encryption password, this gives me a very Bitlocker-like setup, but without the shittiness of having my encryption keys linked to microsoft’s terrible encryption system and user accounts, i can actually control my stuff like this. For a laptop, i must say data-at-rest encryption is a must!
This setup gives me multiple security layers; took my laptop off me -> booted my laptop, faced with user password -> tried to boot another OS, TPM wiped itself, no more encryption key -> computer now asks for encryption password, has to find a way around LVM2 encryption -> LVM2 encryption (somehow) defeated they must now crack my user password, or have to (try) to decrypt my credentials on the file system itself; after all these convoluted and extremely hard steps i think we can agree this person really deserves to have access to my cool wallpapers
Secure boot and TPM aren’t known for there robust security. In fact, I’d wager that your machine is probably vulnerable.
https://www.bleepingcomputer.com/news/security/bootkitty-uefi-malware-exploits-logofail-to-infect-linux-systems/
Or for that matter, it is possible that your secure boot keys have been leaked or that your TPM is vulnerable to sniffing.
Yeah, i know; EUFI computers really suck, turning away the script kiddies and most people that would steal this computer from my data is is the most i can with this thing
Fedora shouldn’t be touching the TPM at all
that’s annoying. my laptop has TPM and i also encrypted the disk