Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LUKS volumes need configurable password and/or recovery keys #477

Open
jmpolom opened this issue Apr 18, 2024 · 0 comments
Open

LUKS volumes need configurable password and/or recovery keys #477

jmpolom opened this issue Apr 18, 2024 · 0 comments
Labels
area/install Issues related to `bootc install`

Comments

@jmpolom
Copy link

jmpolom commented Apr 18, 2024

See problems described in #476 and #421 for context.

The bootc install to-disk --block-setup tpm2-luks feature needs to provision either a systemd-cryptenroll recovery key or a default/backup password for the root LUKS volume. This is a necessity to ensure systems can be booted and users are not locked out when TPM PCR hashes change (they can and will change over time as the system is maintained).

Sometimes TPM PCR hashes change -- this is an expected and intended thing that happens on any system used over a period of time since they measure aspects of the system (which can change over time). Solely relying on the TPM to unlock root volumes is risky and exposes users to a lockout/non bootable situation without a recovery key or password. A bad and completely avoidable experience.
@jmpolom jmpolom mentioned this issue Apr 18, 2024
Closed
@cgwalters cgwalters added the area/install Issues related to `bootc install` label Apr 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/install Issues related to `bootc install`
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cgwalters @jmpolom