Re: Fedora 32 System-Wide Change proposal: Disallow Empty Password By Default

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 2019-12-12 at 03:09 +0100, Kevin Kofler wrote:
> John M. Harris Jr wrote:
> > To clarify a bit, the most common method of extracting a key from a TPM
> > has been to simply desolder the TPM from the system and solder it onto
> > another system. This works with the popular implementations.
> 
> Surely that is not a process that you want to advertise to end users!
> 
> I stay by what I wrote: a TPM, or anything with the same security model, is 
> not an acceptable place for a LUKS key token.

This is far from the original topic, but you make a baseless claim.

Like any other security feature, it's successful (or not) use depends
on the threat model and the sue you make of it.

If you want to make sure that the hard drive *cannot* be use by
plugging it into any random computer using a TPM chip with LUKs is
absolutely a good idea.

Of course if you do not make external backups then having a backup key
add to LUKS that you store offline is definitely a good idea for
recovery in case your TPM chip becomes unavailable for whatever reason.

>  Either use a plain keyfile on 
> a removable USB mass storage stick, or if that does not provide acceptable 
> security in your setup, find another solution (such as a passphrase).

You are making a blanket statement about the security of a solution
without any analysis of the requirements, uniquely on a personal and
arbitrary distaste for a technology, that is not really useful, please
refrain.

Simo.

-- 
Simo Sorce
RHEL Crypto Team
Red Hat, Inc



_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux