| 16 Jul 2021 |
 @grahamc:nixos.org | yeah | 12:13:00 |
 andi- | So, why that take ownership stuff then? | 12:13:12 |
| @grahamc:nixos.org | you can create a hierarchy of keys which reveal different amounts of data | 12:13:20 |
| andi- | Shouldn't I rather specify the root somehow? | 12:13:21 |
| @grahamc:nixos.org | ah | 12:13:35 |
| andi- | and the root is also the part that takes the two passwords? | 12:13:37 |
| @grahamc:nixos.org | ah, no | 12:13:43 |
| @grahamc:nixos.org | heh | 12:13:45 |
| @grahamc:nixos.org | takeownership does 2 thinsg afaik:
- resets the seed which is used for all the root key calculations
- sets a password used to reset counters
| 12:14:06 |
| @grahamc:nixos.org | so you can set a policy saying increment a counter on decrypt attempt, and refuse if it goes about 10, then you need the ownership password to reset it | 12:14:51 |
| andi- | Ok, so that part is then stored in the NV RAM of the TPM? | 12:15:35 |
| @grahamc:nixos.org | yeah | 12:15:43 |
| @grahamc:nixos.org | you don't need any special credential to use the roots | 12:15:55 |
