But what is the threat model where a TPM-stored LUKS key protects against?
I fail to see it. It doesn’t protect against any physical attacks at all, and it also doesn’t protect against attacks while the system is powered on.
It seems to only protect against the attack of someone stealing your hard drive out of your system but leaving the entire system behind. Maybe for encrypting extra data drives that will want to be resold later? But that is more a datacenter threat model
Let’s say you have LUKS with TPM enabled. Verified or Safe Boot is also on, so someone cannot access your decrypted files just with some live usb distro. And let’s say you also have a password set for changing BIOS/UEFI settings so the attacker cannot disable safe boot without a password. So the attacker might want to steal the hard drive in this case to get the data, but that’s also not possible because the hard drive is encrypted and the key is in the TPM. The way TPM also checks for integrity makes the system tamper-proof. So any attempt at tampering with the hardware will trigger the tamper protection and ask the user for a recovery passphrase to let the TPM hand over the decryption key again. So actually TPM is useless without safe boot and without a password for the user account in your OS. The only thing protecting your data from the attacker in this case is your user password… unless the user has one of these raspberry pi pico devices that are programmed to take the TPM keys sent to the CPU at boot in plaintext. Though I am pretty sure this is also fixed or will be fixed in the future. Maybe public key cryptography could help. I haven’t researched that yet.
TL;DR: TPM is pretty useless without safe boot, but is pretty decent with safe boot. TPM is not the securest thing in the world but for a regular user it’s probably the best choice without sacrificing convenience.
The threat ia that someone who uses a shitty password and then their laptop gets taken by a sophisticated actor that could crack their stupid password in an hour without the TPM wiping itself after X failed attempts.
The solution, of course, is to not use shitty passwords
But what is the threat model where a TPM-stored LUKS key protects against?
I fail to see it. It doesn’t protect against any physical attacks at all, and it also doesn’t protect against attacks while the system is powered on.
It seems to only protect against the attack of someone stealing your hard drive out of your system but leaving the entire system behind. Maybe for encrypting extra data drives that will want to be resold later? But that is more a datacenter threat model
Let’s say you have LUKS with TPM enabled. Verified or Safe Boot is also on, so someone cannot access your decrypted files just with some live usb distro. And let’s say you also have a password set for changing BIOS/UEFI settings so the attacker cannot disable safe boot without a password. So the attacker might want to steal the hard drive in this case to get the data, but that’s also not possible because the hard drive is encrypted and the key is in the TPM. The way TPM also checks for integrity makes the system tamper-proof. So any attempt at tampering with the hardware will trigger the tamper protection and ask the user for a recovery passphrase to let the TPM hand over the decryption key again. So actually TPM is useless without safe boot and without a password for the user account in your OS. The only thing protecting your data from the attacker in this case is your user password… unless the user has one of these raspberry pi pico devices that are programmed to take the TPM keys sent to the CPU at boot in plaintext. Though I am pretty sure this is also fixed or will be fixed in the future. Maybe public key cryptography could help. I haven’t researched that yet.
TL;DR: TPM is pretty useless without safe boot, but is pretty decent with safe boot. TPM is not the securest thing in the world but for a regular user it’s probably the best choice without sacrificing convenience.
The threat ia that someone who uses a shitty password and then their laptop gets taken by a sophisticated actor that could crack their stupid password in an hour without the TPM wiping itself after X failed attempts.
The solution, of course, is to not use shitty passwords