Hello,
I’ve an HP EliteBook 840 G5 that I’ve been using up until now with Windows 10. I want to replace it with Debian 12 however since this is a laptop I would like to have my disk fully encrypted as well as the boot stage (initramfs etc).
My threat model: make sure if someone stoles the laptop, powered off, they won’t be able to access my data. I would also like to avoid evil maid attacks and make sure I’m not booting into some modified kernel / system with spyware or that will leak my TPM keys.
I’ve found some information online but I’m unsure of how secure those setups are and/or if it isn’t even possible to have the same level of security that Windows provides.
Here are a few of my questions:
- Anyone around here that has a similar HP laptop and did this?
- What about enrolling secure boot keys on the UEFI? From what I read simply using the typical Linux shim makes things more secure but it doesn’t fix the problem. Enrolling keys seems to break some motherboards
- Even if I use
--tpm2-pcrs=1,4,5,7,9how secure is that, should I add more? - What is the impact of this in system upgrades? How do I deal with those?
- If I want to proceed with this what I should know / what typically fails or can be problematic / security issue?
Some of the information I found:
- https://0pointer.net/blog/unlocking-luks2-volumes-with-tpm2-fido2-pkcs11-security-hardware-on-systemd-248.html
- https://saligrama.io/blog/post/upgrading-personal-security-evil-maid/
- https://fedoramagazine.org/automatically-decrypt-your-disk-using-tpm2/
Thank you.
As usual the Arch wiki is one of the best resources for this. Not everything is applicable on Debian but should answer most questions. https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot
Most but not all :) Thanks.