• GreyBeard@lemmy.one
    link
    fedilink
    arrow-up
    8
    ·
    9 months ago

    The point is to have the system automatically unlock without the need for a boot password. This provides decent security if secure boot is enabled, but requires very little from the user. It isn’t a stopper for high threats, but a simple theft will mean the data is safe. It also ensures that if the drive is separated from the host machine, it is useless without a copy of they key. It doesn’t stop all threats, but stops a lot of them, and all of the most common.

    • vexikron
      link
      fedilink
      arrow-up
      1
      arrow-down
      9
      ·
      9 months ago

      Oh ok so the use case here is if this casual linux user asking this question has only their harddrive stolen from their pc or their laptop in their home or apartment or workplace, not their whole pc.

      Mhm that seems likely.

      I guess this maybe makes sense if youre running like a server room, but chances are low thats the actual context of this question.

      Why would you run PopOS on a large operation’s servers?

      • ShortN0te@lemmy.ml
        link
        fedilink
        arrow-up
        7
        ·
        9 months ago

        While i am personally also not a huge fan of TPM for FDE it is still a valid use. Why? In order to access data on the disk you would still need to bypass the login screen which is non trivial. Also another use case is encrypting the drive so when you sell it or dispose of it you do not need to worry about wiping it at least once to get rid of all data.

        TPM has its weaknesses but pls don’t talk down to someone who wants to use it when you do not understand his use case.

        • GreyBeard@lemmy.one
          link
          fedilink
          arrow-up
          3
          ·
          edit-2
          9 months ago

          It should stop issues with full device theft as well, if done correctly, because if secure boot isn’t on and working, it will refuse to give the key. Which means, if it was setup correctly, the computer cannot be accessed without know the users name and password. This is the general accepted stack for Microsoft’s BitLocker. It becomes completely transparent to the user, but puts a decent blocker to access in cases of theft. There are ways around it like freezing RAM or packet sniffing an external TPM, but those are high level attacks.