Full Disk Encryption with TPM key

In the UK we have the Cyber Essentials scheme started the UK Government NCSC (National Cyber Security Center) to get small businesses to implement technical controls to limit and block 90% of cyber attacks. The controls are simple and basic necessities to stay out of trouble like:

  • Use strong and unique passwords (don’t reuse them)
  • Backup your data
  • Have firewall
  • Turn on desktop access controls - i.e. a login username and password
  • Use anti-virus (ignore that for this post)
  • Use account MFA for cloud based services
  • Use full disk encryption on devices, so theft doesn’t expose your data

The point of full disk encryption is a sticking point for me (remember we are ignoring anti-virus for now) that prevents me from recommending use of desktop Linux within my business. Most Linux distros seem to allow disk encryption but the user must type in a passphrase during the boot process. I can’t expect users to enter a passphrase / key when they boot their laptop, and servers that restart for whatever reason will stop whatever service or function they provide while everyone waits for me or my helpdesk to connect to the console, tap in a passphrase and continue the process.

I noted that use of TPM security is coming to Linux, Ubuntu has included some beta support with 23.10, but its not a mainstream feature at all. Here is a post on TPM backed FDE on the ubuntu blog from 2023.

I searched this forum for TPM related posts (and bumped in to Linux secure boot posts too) and get an impression that the Linux community aren’t bothered about secure boot or TPM secrets.

What’s your take on TPM backed disk encryption, as it applies to business adopting the Linux as a desktop OS?

Thanks,

I’ll be honest and mention from the get-go that I don’t like TPM. You can use TPM to store secrets and to use its hardware RNG, but I’d prefer to not do the former.

You can have your users keep the encryption key on a USB that they keep with them at all times (not that you can trust the users to do so, most will leave the key inside the laptop). On the usb, you can have /boot with 1 encryption key and make the laptops boot from USB on priority. It’ll load the EFI payload, get GRUB up and then GRUB should be able to read the key from the USB.

You can automate it with credentials insertion over SSH from another server (like if zabbix detects the server is down, you can have it try to log into it and insert the password).

Keep in mind that full disk encryption only helps with powered off state. If the system is powered on, then it’s free-for-all. I’d suggest you instead look for something that decrypts the user’s home once they unlock the system. That won’t protect against rootkits, which is why you want the root protected as well.

Wow. That is something I would not have thought of - which proves that SSH is the big daddy of swiss army knives.

Yes, that is a good point, however all I am trying to do is make Linux desktop (and to a small degree, Linux server too) acceptable in a CyberEssentials certified business. I can’t really ask non sysop staff to carry around a USB stick.

I accept you’re TPM averse, which is fine. I had spotted as much in other posts :wink: I will pay attention to TPM for/against debates to educate myself.