| 16 Jul 2021 |
 @grahamc:nixos.org | at least with a TPM nobody is expecting regular people to actually interact with it | 13:53:33 |
 andi- | Wait until we adjust the NixOS install guid to "now do your usual TPM init dance" | 13:53:54 |
| andi- | * Wait until we adjust the NixOS install guide to "now do your usual TPM init dance" | 13:54:00 |
| @grahamc:nixos.org | lol | 13:54:32 |
| andi- | I actually fear providing any kind of "easy" solution to use TPMs for disk encryption by default... It smells like a huge foot gun. | 13:54:46 |
| @grahamc:nixos.org | I think it has to be easy ... | 13:54:55 |
| andi- | Someone trying Linux for a moment and then switching back to windows might be surprised... | 13:54:56 |
| @grahamc:nixos.org | oh | 13:55:03 |
| andi- | Of course it has to be easy but nobody expects there to be state that is actually important. | 13:55:16 |
| @grahamc:nixos.org | right | 13:55:30 |
| @grahamc:nixos.org | complicated | 13:55:46 |
| andi- | I am also almost certain that if it were feasible to do this with every other user on Linux Fedora or such would have tried that. | 13:55:55 |
| @grahamc:nixos.org | it would probably need to be an opinionated thing | 13:56:29 |
| @grahamc:nixos.org | like "this won't work unless you follow our strict path =) my way or the highway " | 13:57:06 |
| andi- | Ok, I actually think Fedora has done that stuff. There is that dracut plugin that allows you to do SSS, Password, remote unlock and TPM based unlock etc.. | 13:57:58 |
| @grahamc:nixos.org | although in what I've set up here I get PCR validation and encrypted disks without using nvram statue | 13:58:02 |
| @grahamc:nixos.org | * although in what I've set up here I get PCR validation and encrypted disks without using nvram state | 13:58:12 |
| @grahamc:nixos.org | so it would only get wiped if they switched to windows and windows cleared the tpm | 13:58:31 |
| andi- | https://aboutcher.co.uk/2020/06/fedora-linux-luks-encryption-with-tpm-unlock/ this sounds so easy :D | 14:02:06 |
