| 16 Jul 2021 |
 andi- | did yours report less or did you just stop copying? | 20:26:05 |
 @grahamc:nixos.org | stopped copying | 20:33:52 |
| @grahamc:nixos.org | my guess is that because I haven't set a lockoutauth it isn't decrementing for some reason | 20:34:01 |
|  colemickens joined the room. | 22:07:58 |
| 17 Jul 2021 |
 Mic92 (Old) | In reply to @andi:kack.it
Mic92: are you aware of a password manager that uses pkcs11 and isn't using GPG? Age is still not able to do that IIRC. No. What praticial security would it provide for users though to use TPM in this case? | 04:50:08 |
| Mic92 (Old) | Right now you type in a password to decrypt a symmetric key. With TPM i guess you would type in a key to unlock the TPM, which unlocks your symmetric key fro the password? | 04:50:56 |
| andi- | In reply to @mic92:nixos.dev
Right now you type in a password to decrypt a symmetric key. With TPM i guess you would type in a key to unlock the TPM, which unlocks your symmetric key fro the password? The key never exists in memory and the TPM could ensure that the device-specific secret for the password manager only ever works on this machine when you boot a trusted system (your bootloader, kernel, ...). | 07:58:27 |
| andi- | So the boot (+password) would unlock the TPM and then each and every password you'd decrypt using the TPM instead of a derived key in memory. | 07:59:04 |
| Mic92 (Old) | Ok, for device specific credentials this might be helpful but not the classic password manager that is synched across devices. | 08:01:07 |
| andi- | Why not? Right now I encrypt my pass database to plenty of GPG keys. One per device and the one on my yubi key | 08:02:19 |
| andi- | IMHO it would just be one more key I encrypt things for | 08:02:42 |
| Mic92 (Old) | An attack on the password manager would not look much different if an TPM would be involved I would say | 08:04:45 |
| Mic92 (Old) | Passwords need to be at some point in memory | 08:05:43 |
| Mic92 (Old) | It's different when you use the yubi key to authenticate remotly against a different system. | 08:06:15 |
| Mic92 (Old) | Than you never need to have the key in host memory | 08:06:32 |
