To make this more seamless, one could maybe pull a trick from FileVault's book and perhaps wrap a copy of all interactive user password hashes with the TPM (using PCRs to validate a secure boot chain) to implement a pre-boot login prompt to both decrypt the disk and pass the input password to PAM afterwards to log in.
This way, the user need only enter a passphrase to initially get in but can then use their fingerprint sensor thereafter to do match-on-host processing of fingerprints. After all, if a switched on laptop is stolen after LUKS is unlocked, even on a desktop lock screen, it's usually going to be vulnerable to data remanence attacks anyway.
Power management, mobile and firmware developer on Linux. Security developer at nvidia. Ex-biologist. Content here should not be interpreted as the opinion of my employer. Also on Mastodon and Bluesky.
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Could the opposite not be done?
Date: 2024-08-27 10:43 pm (UTC)This way, the user need only enter a passphrase to initially get in but can then use their fingerprint sensor thereafter to do match-on-host processing of fingerprints. After all, if a switched on laptop is stolen after LUKS is unlocked, even on a desktop lock screen, it's usually going to be vulnerable to data remanence attacks anyway.