tpm guide: Add note about PCR12 with pin

This commit is contained in:
ItsDrike 2024-06-28 00:52:36 +02:00
parent 7ae636cdca
commit 07b7c8945b
Signed by: ItsDrike
GPG key ID: FA2745890B7048C0

View file

@ -119,6 +119,10 @@ sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7+12 /dev/disk/by-labe
> If you're extra paranoid, you can also provide `--tpm2-with-pin=yes`, to prompt for a PIN code on each boot. > If you're extra paranoid, you can also provide `--tpm2-with-pin=yes`, to prompt for a PIN code on each boot.
> >
> I have mentioned why you may want to do this in the beginning. > I have mentioned why you may want to do this in the beginning.
>
> In case you do want to go with a PIN, you can also safely drop PCR12, as you will be asked for credentials
> each time anyways, and at that point, the TPM unlocking is basically just as secure as regular passphrase
> unlocking, which systemd would fall back to if PCR12 wasn't met.
You will now be prompted for an existing LUKS password (needed to add a new LUKS keyslot). You will now be prompted for an existing LUKS password (needed to add a new LUKS keyslot).