Hacker News: staff3203https://news.ycombinator.com/user?id=staff3203Hacker News RSShttps://hnrss.org/hnrss v2.1.1Sat, 18 Apr 2026 14:13:07 +0000<![CDATA[New comment by staff3203 in "Bypassing disk encryption on systems with automatic TPM2 unlock"]]>What to do for a single root fs spanned over 2 encrypted partitions on 2 separate disks?

]]>Fri, 17 Jan 2025 19:36:31 +0000https://news.ycombinator.com/item?id=42742348staff3203https://news.ycombinator.com/item?id=42742348https://news.ycombinator.com/item?id=42742348<![CDATA[New comment by staff3203 in "Bypassing disk encryption on systems with automatic TPM2 unlock"]]>On my system, I used `tpm2-measure-pcr=yes` in `/etc/crypttab.initramfs`, then used `--tpm2-pcrs=0+2+7+15:sha256=0000000000000000000000000000000000000000000000000000000000000000` with `systemd-cryptenroll`.

As soon as a volume is decrypted, initrd will write `volume-key` to PCR 15, so any further executables can no longer access the data stored in the TPM.

]]>Fri, 17 Jan 2025 05:22:26 +0000https://news.ycombinator.com/item?id=42734355staff3203https://news.ycombinator.com/item?id=42734355https://news.ycombinator.com/item?id=42734355