Linux has been supporting Full Disk Encryption (FDE) and technologies such as UEFI SecureBoot and TPMs for a long time. However, the way they are set up by most distributions is not as secure as they should be, and in some ways quite frankly weird. In fact, right now, your data is probably more secure if stored on current ChromeOS, Android, Windows or MacOS devices, than it is on typical Linux distributions.
related posts
21 sats \ 0 replies \ @justin_shocknet 2 Sep
I think this is the authors first mistake, why would you keep the decryption secret on the system you want to encrypt? Maybe commercial OS's are more native to this because those systems do a lot of senseless things anyway...
The real problem is that you can't decrypt something without communicating the secret to the thing you've encrypted, yubikeys are great for auth because it's just a signature and the secret never leaves the yubikey... but you can't do this with encryption.
This leaves you entering some type of secret into the keyboard, even if thats just a pin to another secret, which sucks in the case of laptops because unless you're in a SCIF there's cameras and microphones everywhere logging your keystrokes
reply