You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
See problems described in #476 and #421 for context.
The bootc install to-disk --block-setup tpm2-luks feature needs to provision either a systemd-cryptenroll recovery key or a default/backup password for the root LUKS volume. This is a necessity to ensure systems can be booted and users are not locked out when TPM PCR hashes change (they can and will change over time as the system is maintained).
Sometimes TPM PCR hashes change -- this is an expected and intended thing that happens on any system used over a period of time since they measure aspects of the system (which can change over time). Solely relying on the TPM to unlock root volumes is risky and exposes users to a lockout/non bootable situation without a recovery key or password. A bad and completely avoidable experience.
The text was updated successfully, but these errors were encountered:
See problems described in #476 and #421 for context.
The
bootc install to-disk --block-setup tpm2-luks
feature needs to provision either a systemd-cryptenroll recovery key or a default/backup password for the root LUKS volume. This is a necessity to ensure systems can be booted and users are not locked out when TPM PCR hashes change (they can and will change over time as the system is maintained).Sometimes TPM PCR hashes change -- this is an expected and intended thing that happens on any system used over a period of time since they measure aspects of the system (which can change over time). Solely relying on the TPM to unlock root volumes is risky and exposes users to a lockout/non bootable situation without a recovery key or password. A bad and completely avoidable experience.
The text was updated successfully, but these errors were encountered: