• catloaf@lemm.ee
    link
    fedilink
    English
    arrow-up
    3
    ·
    6 months ago

    I’ve been curious about people who have been disabling the TPM. Where are you storing your disk encryption keys?

    • AMillionMonkeys@lemmy.world
      link
      fedilink
      English
      arrow-up
      12
      ·
      6 months ago

      I’m not using disk encryption. It’s a desktop and if it’s every stolen I’ve got bigger problems.
      Also, I presume that disk encryption makes it so you can’t just pop the drive in an adapter and pull stuff off it, which I sometimes need to do with old, retired drives.

    • AWildMimicAppears@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      4
      ·
      6 months ago

      veracrypt is a thing, encrypting drives does not need TPM.

      Just boot using the good old Master Boot Record for a clean solution (The Veracrypt documentation gives a good overview). Veracrypt works with EFI too, but the EFI partition itself cannot be encrypted. You can even create a hidden OS, if you are forced to give out your password, theres still plausible deniability.

      • BearOfaTime@lemm.ee
        link
        fedilink
        English
        arrow-up
        2
        ·
        edit-2
        6 months ago

        Thanks for the Veracrypt reminder. Adding that to my stuff to setup and document list.

        Sometimes Bitlocker really pisses me off.

    • lud@lemm.ee
      link
      fedilink
      English
      arrow-up
      1
      ·
      6 months ago

      You can run bitlocker without TPM using a usb flash drive instead. I think you can also store the key in your mind as a password.

      • catloaf@lemm.ee
        link
        fedilink
        English
        arrow-up
        2
        ·
        6 months ago

        Yes, but when they’re on USB the keys are much more accessible. You can just plug it in and dump them.

        If you’re only using a password, the keys are stored in an unencrypted part of the drive, which can again easily be dumped.

        Once you’ve dumped the keys, you can brute-force the passphrase offline.