| 16 Jul 2021 |
 andi- | ok, perhaps I should start with QEMU and some soft TPM to play around with this | 13:47:05 |
| andi- | less likely to screw up my SSH key that way :D | 13:47:14 |
 @grahamc:nixos.org | yes, I haven't moved my dataset's encryption to use the TPM yet either :P | 13:47:58 |
| andi- | When we used to say GPG is hard I think we really overstated it a bit in comparison | 13:48:33 |
| @grahamc:nixos.org | you know, I disagree | 13:48:45 |
| @grahamc:nixos.org | well | 13:48:54 |
| andi- | I am not defending GPG... | 13:49:05 |
| @grahamc:nixos.org | yeah | 13:49:09 |
| @grahamc:nixos.org | I'm trying to think about what my position is here :P | 13:49:20 |
| andi- | TPMs in systems like Windows or MacOS are probably something ~15 engineers at either company understand and maintain. None of the millions of users has knowledge about them to use BitLocker or FileVault. | 13:50:07 |
| @grahamc:nixos.org | yes! | 13:50:16 |
| @grahamc:nixos.org | 100% | 13:50:19 |
| andi- | With GPG everyone has some wrong assumption on how it works but it works somehow (most of the time?) | 13:50:27 |
| @grahamc:nixos.org | the complicated bad stuff of GPG that I hate is:
- people don't know how to use it safely
- it is easy to do something catastrophically bad
- the lifecycle of the keys is "I dunno whatever"
| 13:51:51 |
| andi- | Like I was asked what kind of file encryption we (day job) could use for exchanging sensitive documents with a partner... The partner proposed GPG because their enterprise security department says it is secure. Nothing else is acceptable as it hasn't been audited. Something like age wouldn't even be considered even if it is simpler and better suited for the process :/ | 13:52:06 |
| andi- | And I think with "audited" they don't mean having read the GPG code... | 13:52:38 |
| @grahamc:nixos.org | hahaha no chance | 13:52:43 |
| andi- | Hell, I'd probably propose just using openssl CLI instead of GPG... | 13:53:04 |
| @grahamc:nixos.org | oh and 4. people pretend like mere mortals could use it | 13:53:13 |
| @grahamc:nixos.org | at least with a TPM nobody is expecting regular people to actually interact with it | 13:53:33 |
| andi- | Wait until we adjust the NixOS install guid to "now do your usual TPM init dance" | 13:53:54 |
| andi- | * Wait until we adjust the NixOS install guide to "now do your usual TPM init dance" | 13:54:00 |
| @grahamc:nixos.org | lol | 13:54:32 |
| andi- | I actually fear providing any kind of "easy" solution to use TPMs for disk encryption by default... It smells like a huge foot gun. | 13:54:46 |
| @grahamc:nixos.org | I think it has to be easy ... | 13:54:55 |
| andi- | Someone trying Linux for a moment and then switching back to windows might be surprised... | 13:54:56 |
| @grahamc:nixos.org | oh | 13:55:03 |
| andi- | Of course it has to be easy but nobody expects there to be state that is actually important. | 13:55:16 |
| @grahamc:nixos.org | right | 13:55:30 |
| @grahamc:nixos.org | complicated | 13:55:46 |
