Thanks, this is what I was also considering the feasibility of. And whether
it made sense to begin with. Any idea how can this be done with systemd?
In man I read:
> Note that currently when enrolling a new key of one of the five
> supported types listed above, it is required to
Have your initramfs *extend* a PCR after it retrieves the key from the TPM,
before it switches to (or even unlocks) the rootfs. As most PCRs cannot be
rolled back without a reboot, this would prevent the key from being
unsealed from a running system even if it manages to boot (without causing
the
Hello,
This is more of a user question but I didn't find any other suitable forum
to ask.
I want to install a server that should have an encrypted root but be able
to reboot unattended.
systemd-cryptenroll with TPM2 looks like a viable option. I'm concerned
about which PCRs to pin so that an
On Fr, 18.08.23 13:25, 嵩智 (dir...@gmail.com) wrote:
> Hi all,
>
> I had a program which launched by systemd, and had NoNewPrivileges=true in
> the service file. This program will use GIO subprocess to execute another
> program2. Program2 will failed to run if applied AppArmor profile to it.
> But