| 16 Jul 2021 |
 andi- | Interesting. What do you do with primary.ctx? Store somewhere? Destroy as you don't intend to ever change it? | 13:43:06 |
 @grahamc:nixos.org | destroy it and recreate every time | 13:43:19 |
| @grahamc:nixos.org | I believe createprimary creates an encryption key to communicate with the TPM with, and then gets the the key to sign | 13:43:56 |
| @grahamc:nixos.org | * I believe createprimary creates an encryption key to communicate with the TPM with, and then gets the TPM's key | 13:44:17 |
| @grahamc:nixos.org | the communication key is changing every time but that is fine, but the TPM's key is the same every time | 13:44:28 |
| @grahamc:nixos.org | if you run createprimary with th esam eargs a bunch of times the first half of the file is different every time and the second half is the same | 13:44:41 |
| andi- | ok, perhaps I should start with QEMU and some soft TPM to play around with this | 13:47:05 |
| andi- | less likely to screw up my SSH key that way :D | 13:47:14 |
| @grahamc:nixos.org | yes, I haven't moved my dataset's encryption to use the TPM yet either :P | 13:47:58 |
| andi- | When we used to say GPG is hard I think we really overstated it a bit in comparison | 13:48:33 |
| @grahamc:nixos.org | you know, I disagree | 13:48:45 |
| @grahamc:nixos.org | well | 13:48:54 |
| andi- | I am not defending GPG... | 13:49:05 |
| @grahamc:nixos.org | yeah | 13:49:09 |
| @grahamc:nixos.org | I'm trying to think about what my position is here :P | 13:49:20 |
| andi- | TPMs in systems like Windows or MacOS are probably something ~15 engineers at either company understand and maintain. None of the millions of users has knowledge about them to use BitLocker or FileVault. | 13:50:07 |
| @grahamc:nixos.org | yes! | 13:50:16 |
| @grahamc:nixos.org | 100% | 13:50:19 |
| andi- | With GPG everyone has some wrong assumption on how it works but it works somehow (most of the time?) | 13:50:27 |
