TPM and Luks Encryption key

Circuit_Queen1997

New Member
Joined
Jul 8, 2026
Messages
3
Reaction score
0
Credits
51
I am looking for someone that can help me with advanced information about the trusted platform module with the Librem 15 laptop. I have searched online for years and never can get a straight forward answer because the situation is very specific and unique. I read the article on this site about the TPM and I do know it is very important that is the whole reason I bought a Librem in the first place, but in the past I’ve had to disable the TPM and deactivate it in order to remove ownership of the computer but now it is in a different state and I’m not sure how for if I should attempt to make changes and I don’t want to take the risk in making a poor decision. When I first got the computer the keys that came with the computer were not set up correctly and there was no instructions a very short time later it stopped receiving updates and after other massive problems with VM and Gnome boxes I ended up factory setting the computer and I left it alone for a few years. Now almost 5 years later I am discovering that my suspicions were right and that issues I’ve had since have come from deployments with this specific computer and although the TPM appears to look like it is secure, no ownership by anyone yet, I have had issues with keys being stolen and also keys that should have not been created possibly could be sitting somewhere in the TPm. Also some confusion about whether the encrypted partition could still be somewhere deep inside the computer and if so, will it keep persistent data and corrupt other partitions with recovery and reinstalling. My main question is, if TPM is on and no ownership has been taken, is the only smart decision to set it to prevent ownership being taken or do I need to disable it in order to try and attempt to extract data from the partition and eventually wipe it and restart a new install. If anyone has any valuable information I would be grateful. Thanks! Also I included a picture because I don’t remember ever seeing an intel driver with this Librem before and I need correct information on what this Librem was supposed to come with and if the intel driver is one of the problems.
 

Attachments

  • IMG_3282.jpeg
    IMG_3282.jpeg
    1.6 MB · Views: 22
  • IMG_3261.jpeg
    IMG_3261.jpeg
    1.8 MB · Views: 18
  • IMG_3262.jpeg
    IMG_3262.jpeg
    1.5 MB · Views: 18


simple thing. do you actually need encryption? are you working on government secrets? encryption will not help you avoid being hacked. It is only going to help you if your physical equipment is stolen. And if you have problems with hardware the encryption will most likely cause you to lose everything or at the very least increase your time and cost of repair by a factor of 5
 
I don’t have anything on the computer other than forensic data. Yes I do need encryption because I’m am a studying forensic analyst and I not only study malware but am a victim of a very advanced attack and am collecting evidence for litigation and law enforcement agencies. Do I need encryption? Yes. This specific attack is something I’ve dealt with for years now, so just needed to know if it was used for malicious purposes which it absolutely was, do I need to deactivate the platform keys before I do forensic work and perform a reinstall. I spent a lot of money on this laptop, and never got to really use it, and when I do, I want to make sure no boot kits are installed and no kernel issues arise. I just spent almost a decade removing a worm a remote Trojan and I don’t want anyone connected to any future computer again. Every computer I’ve ever had were destroyed on day one, this is one computer I know that if it’s set up correctly will work correctly and has the hardware that can handle performance. I am someone that once I fix this computer I don’t want it to boot unless it boots correctly.
 
In Linux, the TPM is accessed through a set of device files and libraries. The main device file for TPM 2.0 in Linux is /dev/tpm2, while for TPM 1.2 it is /dev/tpm0. The Linux kernel provides support for TPM through the tpm and tpm_tis drivers. Additionally, there are user-space tools and libraries like tpm2-tools that allow users to interact with the TPM.

so you need to check if tpm2-tools is installed or not

If you use LUKS Encryption make sure you back up the LUKS Headers - most people do not do this for some unknown reason - but anyhow - Making the long story short, if your LUKS header gets damaged, all data is gone. To prevent this from happening, we need to create a header backup. This can be done by issuing the following command:

sudo cryptsetup luksHeaderBackup <device> --header-backup-file <file>

Where <device> is a LUKS volume disk and <file> is a name of a header backup file to be created. In this case the LUKS is on an external HD

sudo cryptsetup luksHeaderBackup /dev/sdb1 --header-backup-file /root/sdb1-header-backup

The file is now in the /root folder which is hidden and you need root access to get to it from there you can move it to anywhere else like to a thumb drive if you choose

Note: It is often recommended to backup the headers securely, i.e. on a encrypted drive. However - I use to put mine on /boot, as this is an unencrypted partition, and the file is small about 2MiB.
There’s no great security loss in this – anyone with physical access (or root access) to your device can simply dump the header anyway so it don't matter. If you’re really worried though, save it somewhere safe, or print it out, and store it somewhere else.
(I do not encrypt my drives anymore - have no reason to)

In case of disaster where your LUKS header gets broken/corrupted, you can restore it by issuing the following command:

sudo cryptsetup luksHeaderRestore <device> --header-backup-file <file>

WARNING: LUKS header restoration procedure will replace all key-slots, therefore only the passphrases from the backup will work afterwards! Key-slots no worky

sudo cryptsetup luksHeaderBackup /dev/sdb1 --header-backup-file /root/sdb1-header-backup
 
Thank you, it’s kind of complicated because of the situation I just wanted to make sure that when I add new software that the boot process is verified and stays that way, I will keep reading these posts and figure it out, right now there is missing pieces of the software so it won’t even load the system. If I am wanting to add new software do I need to disable the tpm in order to completely wipe everything and begins new? That is my only real question I do t want any hidden partitions or software that could cause problems in the firmware.
 
Consider that fact that the entire system is decrypted as soon as you log on to the computer. Encryption does absolutely nothing as long as the computer is running.
 
Consider that fact that the entire system is decrypted as soon as you log on to the computer. Encryption does absolutely nothing as long as the computer is running.
I try to explain that to people but nobody listens. Thank you for saying it.
 


Follow Linux.org

Members online


Top