Skip Navigation

Debian 12: How to setup disk encryption with TPM2

Hello,

I've an HP EliteBook 840 G5 that I've been using up until now with Windows 10. I want to replace it with Debian 12 however since this is a laptop I would like to have my disk fully encrypted as well as the boot stage (initramfs etc).

My threat model: make sure if someone stoles the laptop, powered off, they won't be able to access my data. I would also like to avoid evil maid attacks and make sure I'm not booting into some modified kernel / system with spyware or that will leak my TPM keys.

I've found some information online but I'm unsure of how secure those setups are and/or if it isn't even possible to have the same level of security that Windows provides.

Here are a few of my questions:

  • Anyone around here that has a similar HP laptop and did this?
  • What about enrolling secure boot keys on the UEFI? From what I read simply using the typical Linux shim makes things more secure but it doesn't fix the problem. Enrolling keys seems to break some motherboards
  • Even if I use --tpm2-pcrs=1,4,5,7,9 how secure is that, should I add more?
  • What is the impact of this in system upgrades? How do I deal with those?
  • If I want to proceed with this what I should know / what typically fails or can be problematic / security issue?

Some of the information I found:

Thank you.

13
13 comments
13 comments