nitmir
commented
3 years ago I think this is a duplicate of #52 . With password pin + sss this is straight forward.
I would also like to have a password pin and have a prompt at boot time for entering it.
Open rmetrich opened 4 years ago
nitmir
commented
3 years ago I think this is a duplicate of #52 . With password pin + sss this is straight forward.
I would also like to have a password pin and have a prompt at boot time for entering it.
Hello, I talked to @sergio-correia during Devconf.CZ and would like to expose a use case that I believe would be very interesting for mobile Enterprise users like me.
Basically, when I'm on the Enterprise network, I just want the system to unlock automatically. When I'm roaming, I expect a passphrase to be entered.
I would like to make sure the security of my laptop isn't compromised, hence I would like to not be able to unlock only through entering a master passphrase. I believe that the master passphrase should be in the hands on Enterprise admins only and the user would unlock the device using their own user passphrase. To secure a bit more, I believe that linking the device to the TPM2 would be useful.
Hence, to unlock, we would need both TPM2 and user passphrase.
Alternatively, when on secure network (e.g. Enterprise network or Home), the user passphrase unlock could be replaced for convenience by Tang. This would hence be TPM2 + Tang in that scenario.
Currently this is not possible because there is no Pin dedicated to entering a passphrase.
This would be enabled on the root disk, but also encrypted USB keys (such keys could then only be used on dedicated systems for which the TPM2 would have been registered, typically the Enterprise laptop and the personal laptop for example).