On 30.07.2023 20:59, Martin Winter wrote:
Gary Lin wrote:
Hi, I'm pleased to introduce a new feature for openSUSE Tumbleweed: disk auto-unlocking with TPM 2.0. In short, it boots the encrypted root without asking for a passphrase.
What is the actual use case for that? I'm encrypting my disk to protect it in case the Notebook gets stolen or otherwise lost. When it is auto-unlocked, everybody with access to my computer can read the data.
Or am I missing something? Is there another protection mechanism before the disk is unlocked?
If implemented properly, unlocking is tied to the measured boot sequence. If you boot with different bootloader (e.g. from USB stick), different kernel, different initrd or even try to pass different parameters to kernel unlocking should fail. If system is booted using original bootloader/kernel, then presumably your system requires valid login before someone can access your data. Are you using automatic login? Data at rest encryption remains valid use case as well. For a system that never leaves your basement theft may not be the highest priority, but you may care that your RMA HDD is not readable.