Full-Disk Encryption on Deck?

What's the full disk encryption UX line in terms of unlocking on boot, with the steam deck? Would a USB keyboard basically be a prerequisite / will I regret enabling that? πŸ˜… Thanks in advance!
6 Replies
trouter
trouterOPβ€’4mo ago
Ah, also this.
No description
wolfyreload
wolfyreloadβ€’4mo ago
During the installation when you are selecting the disks you can enable full disk encryption. I think that the command for making it that you don't have to type the LUKS password on every boot is ujust setup-luks-tpm-unlock Once you have set it up you probably won't need a keyboard anymore. Not 100% sure as I don't usually do disk encryption on gaming devices
trouter
trouterOPβ€’4mo ago
That is something related to secure boot I think right? Not encryption? I am using Bazzite on the deck as a general computer a lot more than I expected so was thinking about FDE. It's an awesome machine!
wolfyreload
wolfyreloadβ€’4mo ago
LUKS is disk encryption, doesn't have anything with secure boot. You can use the TMP module to decrypt the disk without you having to type the password with every boot. Yeah if you using Bazzite for much more than gaming then, FDE, does make sense But as Kyle mentioned, if you want FDE you reinstall typically and then you can use the ujust command if you don't want to type the LUKS password all the time
DevilFish303
DevilFish303β€’4mo ago
this will use pcr 7 registry (which measures the secure boot state) of the TPM by itself. I find that it is not secure enough, and youre better off using a yubikey for unlocking. Otherwise, with only pcr 7 i can modify the grub cmdline and access your drive as root unencumbered. If you go this route, I would secure the grub menu with a strong password in addition to tpm unlock. We cannot use other PCR registries at the moment due to the way how rpm-ostree works, otherwise, if we had UKI support we could secure our system the same way microsoft secures windows with PCR 7+11 in recent days i just stick to not encrypting at all, and i just dont log into anything personal on my portable devices, i cannot in good conscience recommend secure boot + full disk encryption with tpm unlock on fedora atomic images in its current state to anyone
wolfyreload
wolfyreloadβ€’4mo ago
Didn't know of the state of FDE for Bazzite. Good to know, thanks for the detail.
Want results from more Discord servers?
Add your server