this post was submitted on 20 Aug 2024
48 points (96.2% liked)
linux4noobs
1422 readers
10 users here now
linux4noobs
Noob Friendly, Expert Enabling
Whether you're a seasoned pro or the noobiest of noobs, you've found the right place for Linux support and information. With a dedication to supporting free and open source software, this community aims to ensure Linux fits your needs and works for you. From troubleshooting to tutorials, practical tips, news and more, all aspects of Linux are warmly welcomed. Join a community of like-minded enthusiasts and professionals driving Linux's ongoing evolution.
Seeking Support?
- Mention your Linux distro and relevant system details.
- Describe what you've tried so far.
- Share your solution even if you found it yourself.
- Do not delete your post. This allows other people to see possible solutions if they have a similar problem.
- Properly format any scripts, code, logs, or error messages.
- Be mindful to omit any sensitive information such as usernames, passwords, IP addresses, etc.
Community Rules
- Keep discussions respectful and amiable. This community is a space where individuals may freely inquire, exchange thoughts, express viewpoints, and extend help without encountering belittlement. We were all a noob at one point. Differing opinions and ideas is a normal part of discourse, but it must remain civil. Offenders will be warned and/or removed.
- Posts must be Linux oriented
- Spam or affiliate links will not be tolerated.
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
There is at least one that, as of recently, offers both out of the box: OpenSUSE Aeon. In fact, TPM-based encryption is now mandatory.
It's rolling—based on OpenSUSE Tumbleweed—and atomic.
This could be another point in Aeon's favor: it uses a combination of Flatpaks and Distrobox, meaning you can use software from basically any distribution you desire—including from, say, Arch's AUR.
I'll warn you ahead of time: Aeon and its developer are very opinionated. It's basically one person's idea of what makes "the best desktop Linux system," and those are Richard's words, not mine. It is also currently still in the release candidate stage.
If secure boot isn't needed then what's stopping an attacker from USB booting and changing the tpm parameters or pulling the luks password? Actually what's stopping an attacker from USB booting even when secure boot is enabled? Or switching the Aeon kernel with one that won't do the check at all and registering that with secure boot?
A quick Google search says secure boot is not intended to protect against someone with physical access. Then why does it matter in the context of fde at all? Malware running after boot would have access to (most of the) unencrypted filesystem anyways. Edit: and if it has the privileges to modify kernel or boot loader it could do the things I wrote above too
And it's weird that there isn't a mode that uses a luks password in combination to the chain of trust. Relying on the user password for protection doesn't feel very secure since a physical attacker would have more opportunities to see it while the computer is in use than a luks password.
Oh, I never heard of this one before, it certainly meets the criteria, I read the documentation to understand it more
yes, the developer seem very opinionated :|