| 16 Jul 2021 |
 @grahamc:nixos.org | 100% | 13:50:19 |
 andi- | With GPG everyone has some wrong assumption on how it works but it works somehow (most of the time?) | 13:50:27 |
| @grahamc:nixos.org | the complicated bad stuff of GPG that I hate is:
- people don't know how to use it safely
- it is easy to do something catastrophically bad
- the lifecycle of the keys is "I dunno whatever"
| 13:51:51 |
| andi- | Like I was asked what kind of file encryption we (day job) could use for exchanging sensitive documents with a partner... The partner proposed GPG because their enterprise security department says it is secure. Nothing else is acceptable as it hasn't been audited. Something like age wouldn't even be considered even if it is simpler and better suited for the process :/ | 13:52:06 |
| andi- | And I think with "audited" they don't mean having read the GPG code... | 13:52:38 |
| @grahamc:nixos.org | hahaha no chance | 13:52:43 |
| andi- | Hell, I'd probably propose just using openssl CLI instead of GPG... | 13:53:04 |
| @grahamc:nixos.org | oh and 4. people pretend like mere mortals could use it | 13:53:13 |
| @grahamc:nixos.org | at least with a TPM nobody is expecting regular people to actually interact with it | 13:53:33 |
| andi- | Wait until we adjust the NixOS install guid to "now do your usual TPM init dance" | 13:53:54 |
| andi- | * Wait until we adjust the NixOS install guide to "now do your usual TPM init dance" | 13:54:00 |
| @grahamc:nixos.org | lol | 13:54:32 |
| andi- | I actually fear providing any kind of "easy" solution to use TPMs for disk encryption by default... It smells like a huge foot gun. | 13:54:46 |
| @grahamc:nixos.org | I think it has to be easy ... | 13:54:55 |
| andi- | Someone trying Linux for a moment and then switching back to windows might be surprised... | 13:54:56 |
| @grahamc:nixos.org | oh | 13:55:03 |
| andi- | Of course it has to be easy but nobody expects there to be state that is actually important. | 13:55:16 |
| @grahamc:nixos.org | right | 13:55:30 |
| @grahamc:nixos.org | complicated | 13:55:46 |
| andi- | I am also almost certain that if it were feasible to do this with every other user on Linux Fedora or such would have tried that. | 13:55:55 |
| @grahamc:nixos.org | it would probably need to be an opinionated thing | 13:56:29 |
| @grahamc:nixos.org | like "this won't work unless you follow our strict path =) my way or the highway " | 13:57:06 |
| andi- | Ok, I actually think Fedora has done that stuff. There is that dracut plugin that allows you to do SSS, Password, remote unlock and TPM based unlock etc.. | 13:57:58 |
| @grahamc:nixos.org | although in what I've set up here I get PCR validation and encrypted disks without using nvram statue | 13:58:02 |
| @grahamc:nixos.org | * although in what I've set up here I get PCR validation and encrypted disks without using nvram state | 13:58:12 |
| @grahamc:nixos.org | so it would only get wiped if they switched to windows and windows cleared the tpm | 13:58:31 |
| andi- | https://aboutcher.co.uk/2020/06/fedora-linux-luks-encryption-with-tpm-unlock/ this sounds so easy :D | 14:02:06 |
 hexa | oh right, clevis. | 14:02:51 |
| andi- | Getting clevis to work on NixOS would already be amazing. SSS for unlocking a community computer is a common enough use case. | 14:03:33 |
| hexa | right, that's when we looked into that | 14:03:59 |
