The thing is, Windows does this out of the box. So does macOS. So do iOS and Android. When you set a PIN on Windows 11 or even add an extra password to your already TPM-encrypted hard drive, you don’t even know you’re getting any of this security. You don’t need to! It just works!
Linux is the only system that doesn’t just make this stuff work out of the box. There are some issues that prevent it from being as easy to use as on other systems (the fact that loading Linux keys into a motherboard take an extra user interaction, for example) but there are solutions to all of these problems if Linux distros were to put some work into it.
There’s absolutely no reason why you should need to use the terminal to configure the TPM, you should just need to tick a box during install that makes the system use better encryption (or disable it if you use the drive in multiple computers). The reason you need to play James bond with layers of encryption and boot configurations is that standard Linux tooling had awful support for using the security hardware that every computer sold the last decade or so already contains.
I’m an engineer with trade secrets on his laptop. I’ve heard of dozens of people getting laptops stolen from their cars that they left for like ten or fifteen minutes.
The chances are slims, but if it happens I’m in deep trouble whether those secrets leak of not. I’m not taking the risk. I’m encrypting my disk.
It’s not like there’s a difference in performance nowadays.
TPM’s not going to help with that situation, though, right?
Either you’re typing in your encryption password on boot (in which case you don’t need TPM to keep your password), or you’re not, in which case the thief has your TPM module with the password in it.
From what I understand, TPM is “trusted” because of the fact the secrets it contains are supposed to be safe from an attacker with hardware access.
This is what makes it good at protecting data in case of a stolen laptop. This is also what makes it good at enforcing offline DRM or any kind of system where manufacturers can restrict the kind of software users can run on their hardware.
so you never caught a team of government officials in your living room brute forcing your bootloader at 4am as you got up to use the bathroom, huh. Lucky guy.
I’m still on the hunt for a desktop Linux distro that has no security features or passwords. My usage for this may not be common but it can’t be rare enough that there are zero options
I agree that there should be an easy setting to at least allow updates without password. I installed Manjaro for my mom, after a while she complained “there are updates every day and I need to input the password too many times”
I don’t know why I keep hearing of security measures to stop someone sleuthing into bootloaders.
Am I the only person using Linux who isn’t James Bond?
The thing is, Windows does this out of the box. So does macOS. So do iOS and Android. When you set a PIN on Windows 11 or even add an extra password to your already TPM-encrypted hard drive, you don’t even know you’re getting any of this security. You don’t need to! It just works!
Linux is the only system that doesn’t just make this stuff work out of the box. There are some issues that prevent it from being as easy to use as on other systems (the fact that loading Linux keys into a motherboard take an extra user interaction, for example) but there are solutions to all of these problems if Linux distros were to put some work into it.
There’s absolutely no reason why you should need to use the terminal to configure the TPM, you should just need to tick a box during install that makes the system use better encryption (or disable it if you use the drive in multiple computers). The reason you need to play James bond with layers of encryption and boot configurations is that standard Linux tooling had awful support for using the security hardware that every computer sold the last decade or so already contains.
I’m an engineer with trade secrets on his laptop. I’ve heard of dozens of people getting laptops stolen from their cars that they left for like ten or fifteen minutes.
The chances are slims, but if it happens I’m in deep trouble whether those secrets leak of not. I’m not taking the risk. I’m encrypting my disk.
It’s not like there’s a difference in performance nowadays.
TPM’s not going to help with that situation, though, right? Either you’re typing in your encryption password on boot (in which case you don’t need TPM to keep your password), or you’re not, in which case the thief has your TPM module with the password in it.
From what I understand, TPM is “trusted” because of the fact the secrets it contains are supposed to be safe from an attacker with hardware access.
This is what makes it good at protecting data in case of a stolen laptop. This is also what makes it good at enforcing offline DRM or any kind of system where manufacturers can restrict the kind of software users can run on their hardware.
so you never caught a team of government officials in your living room brute forcing your bootloader at 4am as you got up to use the bathroom, huh. Lucky guy.
Your government doesn’t just hit you with a wrench?
Silly Lemmy user, it’s 4am and I’m on Lemmy
It’s 30% legitimate concern over a non-negligible risk of government overreach, 70% having fun pretending to be James Bond.
deleted by creator
I’m still on the hunt for a desktop Linux distro that has no security features or passwords. My usage for this may not be common but it can’t be rare enough that there are zero options
Ubuntu, no encryption, select boot to desktop by default when the system installs.
Like, really?
Still smashing in passwords left and right
Ah so you want the windows 98 experience, root access by default all the time without passwords or extra prompts.
Maybe setting auto login and sudo without password can be almost enough? https://askubuntu.com/questions/147241/execute-sudo-without-password
I agree that there should be an easy setting to at least allow updates without password. I installed Manjaro for my mom, after a while she complained “there are updates every day and I need to input the password too many times”