I used PopOS, but once they announced they’ll start focusing on their Cosmic desktop, I switched to Fedora KDE it worked to some degree until it crashed and I lost some data, now I’m on Ultramarine GNOME and it doesn’t seem to like my hardware ( fans are spinning fast )

my threat model involves someone trying to physically unlock my device, so I always enable disk encryption, but I wonder why Linux doesn’t support secure boot and TPM based encryption ( I know that Ubuntu has plans for the later that’s why I’m considering it rn )

I need something that keeps things updated and adobts newer standards fast ( that’s why I picked Fedora KDE in the first place ), I also use lots of graphical tools and video editing software, so I need the proprietary Nvidia drivers

Idk what to choose ಥ_ಥ ? the only one that seem to care about using hardware based encryption is Ubuntu, while other distros doesn’t support that… the problem with Ubuntu is there push for snaps ( but that can be avoided by the user )

security heads say: if you care about security, you shouldn’t be using systemd, use something like Gentoo or Alpine… yeah but do you expect me to compile my software after ? hell no

You are viewing a single thread.
View all comments View context

I was going off what you said:

my threat model involves someone trying to physically unlock my device

This doesn’t sound to me as if you’re concerned about espionage - repeated, covert, root access to your computer, for the purpose of installing software to capture your keys, so that they can steal your computer and have complete access. If someone has remote root access to your computer, you’re fucked, TPM or not; they’ll just read what they want whenever you’re logged in and using your computer.

TPM is for when you might not have secured physical access to your computer. Like, you’re worried the NSA is going to sneak into your house while you’re out shopping, pull your HD, replace the boot loader, and re-install it before you get home.

If you’re only worried about, say, losing a laptop, or a search & seizure at your house, an encrypted HD is good enough. TPM and a keylocked BIOS are belts-and-suspenders, but if they want to get at the data they’ll just pull the HD and run code-breaking software on it on and entirely different super-computer. TPM won’t help you at all in that case.

Honestly, TPM is for a specific threat mode, which is much more like ongoing espionage, than simple opportunity theft. Your stated use case sounds more like the latter than the former.

permalink
report
parent
reply

but if they want to get at the data they’ll just pull the HD and run code-breaking software on it on and entirely different super-computer. TPM won’t help you at all in that case.

You make it sound so easy and doable, but the reality is that without meeting certain conditions such as the existence of the original TPM chip, a brute force attack will render the data irretrievable… And even if I’m wrong in the last part, that would still be a pain in the butt for the attacker… and it’ll buy me time… like you said … belts-and-suspenders

This doesn’t sound to me as if you’re concerned about espionage

Because i don’t have second chances, which is why I wish there’s way to erase everything by entering a key combination… somehow… Idk… like Android has that…

permalink
report
parent
reply
1 point

Because i don’t have second chances, which is why I wish there’s way to erase everything by entering a key combination… somehow… Idk… like Android has that…

That triggered a memory for me. Apparently certain SSD(Samsung I heard of, not sure about others) always encrypt your data in hardware with a random key, this is done transparently to the OS and is otherwise unremarkable.

What it archives though and afaik is intended for is the possibility of easily and quickly “erasing” the disk by just overwriting that encryption key a couple times, I don’t remember if that used a special tool or something but if that is useful to you it probably wouldn’t be hard to find more info on this.

Samsung is a reasonably trustworthy company, not from US/UK, not Chinese, so if they say they have a clean implementation of this I’d trust them. Would be kinda a national security issue for them if it wasn’t seeing how Samsung is everywhere in gov an private sector in Korea.

permalink
report
parent
reply

What it archives though and afaik is intended for is the possibility of easily and quickly “erasing” the disk by just overwriting that encryption key a couple times, I don’t remember if that used a special tool or something but if that is useful to you it probably wouldn’t be hard to find more info on this.

first of, apologies for the late reply… this reminds me of when I ( not so long ago ), used to overwrite random data into HDDs using Eraser, before selling my laptops or switching a company laptop, I hear SSDs are designed to last longer, so that practice ( of writing random data so it’ll erase the sensitive data ), is “kind of” a time waste now… but I guess it’ll make it hard to retrieve that data, unless the attacker has some specialized software and hardware

Samsung is a reasonably trustworthy company, not from US/UK, not Chinese, so if they say they have a clean implementation of this I’d trust them

I wouldn’t trust any company based only on their claims, they need to document ( explain how it works ), develop things in the open ( publish the firmware ), the schematics, even the CAD drawings… like what the folks at System76 and Framework are doing…

That said, it sure sounds cool to have that level of protection, if only Samsung wasn’t a shitty company already ( in my book )

Would be kinda a national security issue for them if it wasn’t seeing how Samsung is everywhere in gov an private sector in Korea.

I’m speculating here, but it wouldn’t be far fetched if they designed a secure encrypted clean hardware for the government with military grade encryption as they like to call it, while the end users receives only enough encryption power to protect against normie threat actors like a spouse…etc companies have these policies where they provide a premium/quality products for businesses and governments but cheap or in many cases poorly made products to end users … like Windows Home

permalink
report
parent
reply

linux4noobs

!linux4noobs@programming.dev

Create post

linux4noobs


Noob Friendly, Expert Enabling

Whether you’re a seasoned pro or the noobiest of noobs, you’ve found the right place for Linux support and information. With a dedication to supporting free and open source software, this community aims to ensure Linux fits your needs and works for you. From troubleshooting to tutorials, practical tips, news and more, all aspects of Linux are warmly welcomed. Join a community of like-minded enthusiasts and professionals driving Linux’s ongoing evolution.


Seeking Support?
  • Mention your Linux distro and relevant system details.
  • Describe what you’ve tried so far.
  • Share your solution even if you found it yourself.
  • Do not delete your post. This allows other people to see possible solutions if they have a similar problem.
  • Properly format any scripts, code, logs, or error messages.
  • Be mindful to omit any sensitive information such as usernames, passwords, IP addresses, etc.

Community Rules

  • Keep discussions respectful and amiable. This community is a space where individuals may freely inquire, exchange thoughts, express viewpoints, and extend help without encountering belittlement. We were all a noob at one point. Differing opinions and ideas is a normal part of discourse, but it must remain civil. Offenders will be warned and/or removed.
  • Posts must be Linux oriented
  • Spam or affiliate links will not be tolerated.

Community stats

  • 60

    Monthly active users

  • 119

    Posts

  • 439

    Comments

Community moderators