| 16 Jul 2021 |
 andi- | Ok, I actually think Fedora has done that stuff. There is that dracut plugin that allows you to do SSS, Password, remote unlock and TPM based unlock etc.. | 13:57:58 |
 @grahamc:nixos.org | although in what I've set up here I get PCR validation and encrypted disks without using nvram statue | 13:58:02 |
| @grahamc:nixos.org | * although in what I've set up here I get PCR validation and encrypted disks without using nvram state | 13:58:12 |
| @grahamc:nixos.org | so it would only get wiped if they switched to windows and windows cleared the tpm | 13:58:31 |
| andi- | https://aboutcher.co.uk/2020/06/fedora-linux-luks-encryption-with-tpm-unlock/ this sounds so easy :D | 14:02:06 |
 hexa | oh right, clevis. | 14:02:51 |
| andi- | Getting clevis to work on NixOS would already be amazing. SSS for unlocking a community computer is a common enough use case. | 14:03:33 |
| hexa | right, that's when we looked into that | 14:03:59 |
| andi- | and tango is the remote attestation part to it | 14:05:09 |
| @grahamc:nixos.org | I clicked the link thinking "oh great, exactly what we need, yet another blog post with some obscure commands with dozens of flags that probably makes it work just barely well enough but not actually be thorough" | 14:08:15 |
| @grahamc:nixos.org | but it is short enough that I reasonably trust it! | 14:08:23 |
| andi- | So clevis probably puts the two public parts into the initrd? | 14:09:15 |
