I have setup Guix already with LUKS full disk encryption with a passphrase. Is it possible to convert this to LUKS with the encryption key stored in my device TPM, or will I have to reinstall?
I saw Guix has tpm2-tools so should work the same as other Linuxes, but want to make sure there is nothing Guix-specific I am missing that I should be aware of.
IMHO, no conversion is needed.
You can “simply” add a new key slot for the key, you want to store in the TPM, tell the initrd to query the the TPM for the key and ask for the passphrase if something isn’t working.
Scripts in Ubuntu 20.04 and TPM2 encrypted system disk - Running Systems look like a good starting point.
Thank you. That article links to another, that mentions a hard drive swap attack to get the encryption key from the TPM.
Do you know if it’s possible to lock down the TPM such that the actual key can be read by the motherboard (to verify boot) but is irretrievable (can’t access in BIOS)? I know I could just set a BIOS password but it seems much simpler not to introduce the problem in the first place.