On Wednesday, December 11, 2019 7:09:41 PM MST Kevin Kofler wrote:
John M. Harris Jr wrote:
> To clarify a bit, the most common method of extracting a key from a TPM
> has been to simply desolder the TPM from the system and solder it onto
> another system. This works with the popular implementations.
Surely that is not a process that you want to advertise to end users!
Of course not. It's just an example of the most common way to get around the
TPM holding the keys.
I stay by what I wrote: a TPM, or anything with the same security
model, is
not an acceptable place for a LUKS key token. Either use a plain keyfile
on a removable USB mass storage stick, or if that does not provide
acceptable security in your setup, find another solution (such as a
passphrase).
Agreed, as it's simply susceptible to attack at too many levels.
--
John M. Harris, Jr.
Splentity