ItsDrike/nixdots
1
0
Fork 0
mirror of https://github.com/ItsDrike/nixdots synced 2024-09-15 23:49:42 +00:00
Code Issues Packages Projects Releases Wiki Activity

tpm guide: Add note about PCR12 with pin

Browse source
This commit is contained in:
ItsDrike 2024-06-28 00:52:36 +02:00
parent 7ae636cdca
commit 07b7c8945b
Signed by: ItsDrike
GPG key ID: FA2745890B7048C0
1 changed files with 4 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
docs/04_TPM_UNLOCKING.md
View file

@ -119,6 +119,10 @@ sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7+12 /dev/disk/by-labe
> If you're extra paranoid, you can also provide `--tpm2-with-pin=yes`, to prompt for a PIN code on each boot.
>
> I have mentioned why you may want to do this in the beginning.
>
> In case you do want to go with a PIN, you can also safely drop PCR12, as you will be asked for credentials
> each time anyways, and at that point, the TPM unlocking is basically just as secure as regular passphrase
> unlocking, which systemd would fall back to if PCR12 wasn't met.
You will now be prompted for an existing LUKS password (needed to add a new LUKS keyslot).