| 17 Jul 2021 |
 @mic92:nixos.dev | Ok, for device specific credentials this might be helpful but not the classic password manager that is synched across devices. | 08:01:07 |
 andi- | Why not? Right now I encrypt my pass database to plenty of GPG keys. One per device and the one on my yubi key | 08:02:19 |
| andi- | IMHO it would just be one more key I encrypt things for | 08:02:42 |
| @mic92:nixos.dev | An attack on the password manager would not look much different if an TPM would be involved I would say | 08:04:45 |
| @mic92:nixos.dev | Passwords need to be at some point in memory | 08:05:43 |
| @mic92:nixos.dev | It's different when you use the yubi key to authenticate remotly against a different system. | 08:06:15 |
| @mic92:nixos.dev | Than you never need to have the key in host memory | 08:06:32 |
| andi- | My threat is more about local code execution stealing keys | 08:09:46 |
| @mic92:nixos.dev | The key for what? | 08:11:03 |
| @mic92:nixos.dev | A second use case for TPM would be second factor auth | 08:15:48 |
| @mic92:nixos.dev | Also interesting: https://github.com/mtth-bfft/tpm-otp | 08:18:28 |
| andi- | In reply to @mic92:nixos.dev
The key for what? The key for the passwords. | 08:47:47 |
| @mic92:nixos.dev | In reply to @andi:kack.it
The key for the passwords. It seems like a small win in security for an increased complexity, since the passwords itself are still in plain | 08:48:57 |
| andi- | Yeah but it defeats all kinds of offline attacks on my password database | 08:49:24 |
| andi- | you can use my entire disk and still have no way to decrypt my passwords. Not even if you also have a memory dump. | 08:49:38 |
