-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New Package Request: clevis clevis-dracut clevis-udisks2 #409
Comments
See also #285 |
While I can see the value in this use case, I'm unsure of how common it would be for most users. If we were to include this, I think I would also like to see some robust docs that explain how to do the TPM2 binding on Silverblue, perhaps some troubleshooting steps as well. (Pardon my ignorance if the docs for Silverblue would be identical for Workstation in this case) |
The instructions would be mostly the same, but will get much simpler once we have UKIs. Right now the main issue is that if you want something meaningful in terms of security, you need to rebind after each update before the reboot. Thus this needs a script that does it during ostree-finalize step. The end goal would be to have a box to tick in Anaconda that says "Automatically encrypt the disk (via TPM)" and have the user still enter a passphrase as backup or generate a long secret to store somewhere as backup. |
While I really like the steps forward to FDE with TPM2, i don't really get the advantage of using The only thing that I need to add was: |
If systemd-cryptenroll also works for the root partition then this could also be an option indeed. |
We should investigate https://fedoramagazine.org/use-systemd-cryptenroll-with-fido-u2f-or-tpm2-to-decrypt-your-disk/ for Silverblue |
Thanks for the report. This issue is now tracked in https://gitlab.com/fedora/ostree/sig/-/issues/33 thus I'll close this one. |
It's not in Workstation yet apparently. Will have to file that there.
Make is easier to enable TPM2 binding for disk encryption via clevis. See: https://fedoramagazine.org/automatically-decrypt-your-disk-using-tpm2/
No, it's for the root disk
No
No
rpm-ostree install <package>
? Explain why or why not.Yes, but it would be better to have it by default to avoid modifying/rebuilding the initrd.
The text was updated successfully, but these errors were encountered: