| 24 Jan 2022 |
 colemickens 🏳️🌈 | Hrmph, now I feel like I wasted my time with the shim, but this would require figuring out signing :s | 22:42:19 |
 Zhaofeng Li | It's actually pretty simple after you generate all the keys and enroll them in your BIOS | 22:43:13 |
| Zhaofeng Li | Everything else can be done from the OS | 22:43:30 |
| colemickens 🏳️🌈 | I just assume people are signing outside the store or doing some sandboxing trick to get to the private key or something. I've always avoided that, but maybe it's not a huge deal. | 22:44:10 |
| Zhaofeng Li | In reply to @zhaofeng:zhaofeng.li
You can get actual Secure Boot signing working with https://github.com/frogamic/nix-machines/tree/main/modules/systemd-secure-boot The module here automatically creates a unified kernel image (kernel + initrd) for each generation and signs them | 22:45:10 |
| Zhaofeng Li | And the end-user experience is seamless | 22:45:23 |
| colemickens 🏳️🌈 | Oh, right, it just takes a path to the key. | 22:45:40 |
| colemickens 🏳️🌈 | Huh, why was I over thinking this. | 22:45:46 |
| colemickens 🏳️🌈 | Neato. | 22:45:49 |
| colemickens 🏳️🌈 | Thanks a bunch Zhaofeng Li , I'll have to spend another weekend day trying to do this the right way then! | 22:47:21 |
| 31 Jan 2022 |
|  bernardo changed their profile picture. | 11:49:42 |
| 2 Feb 2022 |
|  Chuck Winter changed their display name from CoilWinder (novus ordo seclorum) to Chuck Winter. | 08:37:03 |
| 3 Feb 2022 |
|  lvkm joined the room. | 08:49:27 |
|  lewo joined the room. | 21:47:17 |
| 4 Feb 2022 |
 Mic92 | is this any good? https://github.com/whooo/tpm2-ssh-agent | 14:08:18 |
| 15 Feb 2022 |
 stigo | In reply to @mic92:nixos.dev
is this any good? https://github.com/whooo/tpm2-ssh-agent I've been using gpg with tpm for ssh for a while now, quite happy with it. Unable to change passphrases for tpm backed keys tho. | 16:02:28 |
| stigo | Was wondering if anyone has had any luck setting up TPM2 with LUKS on NixOS? | 16:03:08 |
| Mic92 | I try to keep my system gnupg-free because of bad past experiences. I think andi- was working on that, but don't know the status | 16:04:05 |
| stigo | "happy" and "gpg" are unlikely to be in the same sentence though. | 16:04:08 |
| Zhaofeng Li | In reply to @stigo:matrix.org
Was wondering if anyone has had any luck setting up TPM2 with LUKS on NixOS? I use clevis and add the decrypt command to my boot.initrd.luks.devices.<name>.preOpenCommands | 16:30:19 |
| Zhaofeng Li | I added an option so the decryption process immediately falls back to password if the key file doesn't exist instead of waiting: https://github.com/NixOS/nixpkgs/pull/150196 | 16:31:16 |
| Zhaofeng Li | For better TPM+LUKS integration, there was https://github.com/NixOS/nixpkgs/pull/134577 but it was decided that we wanted to wait for systemd in stage-1 for cryptenroll support which is still in limbo at the moment | 16:33:00 |
| stigo | In reply to @zhaofeng:zhaofeng.li
I use clevis and add the decrypt command to my boot.initrd.luks.devices.<name>.preOpenCommands Thx for the info! Yeah, I'll be patient and wait for systemd-cryptenroll stuffs to be ready | 16:41:58 |
| stigo | Just to mention about gpg. Some of the things that work well with it are ssh and encryption/decryption (vith epa in emacs, and tomb, for instance), and has a nice tpm2 integration. Signature verification, trust models, sks, email, and all that is a different story though. Imho. | 16:54:31 |
| stigo | * Just to mention about gpg. Some of the things that work well with it are ssh and encryption/decryption (vith epa in emacs, tomb, and pass, for instance), and has a nice tpm2 integration. Signature verification, trust models, sks, email, and all that is a different story though. Imho. | 16:57:03 |
| * colemickens 🏳️🌈 contemplates the meaning of "work well" vs "works, after internalizing countless pitfalls and nearly encoding gpg quirks as muscle memory" | 20:14:56 |
| stigo | In reply to * @colemickens:matrix.org
contemplates the meaning of "work well" vs "works, after internalizing countless pitfalls and nearly encoding gpg quirks as muscle memory" Yeah, there is for sure a lot of that. s/work well/is useful/ would be more accurate. | 20:22:49 |
| colemickens 🏳️🌈 | Yes sadly it can be made to do many neat things, and as I've been discovering, the non-gpg world has some odd gaps too, so woo. | 20:29:10 |
| 18 Feb 2022 |
| Chuck Winter changed their display name from Chuck Winter to Chuck Winter (vi/vim). | 04:12:15 |
| Chuck Winter changed their display name from Chuck Winter (vi/vim) to Chuck Winter. | 04:20:42 |
