• caglararli@hotmail.com
  • 05386281520

Can TPM2 disk encryption protect data after full server theft?

Çağlar Arlı      -    8 Views

Can TPM2 disk encryption protect data after full server theft?

I read about TPM2 with PCR locking full-disk encryption from different sources. For example [1]. What I can't understand is how much does this protect from full server theft.

If we assume that TPM2 module is secure (attacker can't read it), proper PCR locking is implemented and direct reading RAM of the system is not a concern either, then can encryption key be obtained and disk read by attacker?

Does secure boot and/or bootloader locking affect the above question?

Update: I would like to see a list of things that need to be setup so that full disk encryption with TPM (without pin) protects against getting hands on decrypted data and/or encryption key. e.g. is secure boot required, should grub be locked for editing options, etc.

[1] http://0pointer.net/blog/unlocking-luks2-volumes-with-tpm2-fido2-pkcs11-security-hardware-on-systemd-248.html