On Wednesday, December 11, 2019 7:09:41 PM MST Kevin Kofler wrote: > John M. Harris Jr wrote: > > > To clarify a bit, the most common method of extracting a key from a TPM > > has been to simply desolder the TPM from the system and solder it onto > > another system. This works with the popular implementations. > > > Surely that is not a process that you want to advertise to end users! Of course not. It's just an example of the most common way to get around the TPM holding the keys. > I stay by what I wrote: a TPM, or anything with the same security model, is > not an acceptable place for a LUKS key token. Either use a plain keyfile > on a removable USB mass storage stick, or if that does not provide > acceptable security in your setup, find another solution (such as a > passphrase). Agreed, as it's simply susceptible to attack at too many levels. -- John M. Harris, Jr. Splentity _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
