From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from plane.gmane.org (plane.gmane.org [80.91.229.3]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.server123.net (Postfix) with ESMTPS for ; Sat, 18 Oct 2014 01:50:03 +0200 (CEST) Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1XfHHX-0003sD-8n for dm-crypt@saout.de; Sat, 18 Oct 2014 01:50:03 +0200 Received: from 66.87.138.247 ([66.87.138.247]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sat, 18 Oct 2014 01:50:03 +0200 Received: from eternaleye by 66.87.138.247 with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sat, 18 Oct 2014 01:50:03 +0200 From: Alex Elsayed Date: Fri, 17 Oct 2014 16:51:52 -0700 Message-ID: References: <543D92A8.50701@freesources.org> <20141014215108.GA14529@tansi.org> Mime-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: 7Bit Subject: Re: [dm-crypt] LUKS disk encryption with remote boot authentication List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: dm-crypt@saout.de Alex Elsayed wrote: > Well, it actually _is_ entirely possible: > > If your machine has a TPM (yes, big 'if', but many laptops do although > embedded boards don't), then tpm-luks[1] uses the TPM to store the > cryptsetup key in the TPM's nvram, such that it can only be extracted if > everything is unmodified. Gah, forgot my footnote. [1] https://github.com/shpedoikal/tpm-luks