Hey! I’m currently on Fedora Workstation and I’m getting bored. Nothing in particular. I’ve heard about immutable distros and I’m thinking about Fedora Kinoite. The idea is interesting but idk if it’s worth it. CPU and GPU are AMD. Mostly used for gaming.
My (maybe flawed?) thoughts: Why bother with full disk encryption if one could just boot the notebook to undo the encryption?
Using my yubico fido 2 key in combination with a small PIN I can easily decrypt my LUKS drive and know nobody else can decrypt it as long as I have my yubico with me.
What do you think of this?
If it were that easy to do, we wouldn’t have even bothered with doing disk encryption in the first place. And it’s not like cracking TPMs is a walk in the park.
This definitely could help in a scenario where an attacker has only your notebook but for it to make a difference your attacker must not be able to access your Yubikey and/or compel you to hand it over.
As long as your LUKS drive is encrypted (TPM or not, Yubikey or not), you are relatively safe from an unauthorized party trying to access your data. Either of these attestation tools add a layer of defense for your encrypted drive.