mortar VS linux-secureboot-kit

Bruteforce of such random password is just not plausible and talks about KDF "weakness" is just a distraction. I think most likely it was evil maid attack.

Here are projects which try to mitigate some of evil maid attack risks:

https://github.com/noahbliss/mortar

https://safeboot.dev/

Secure boot and TPM support (à la Mortar: https://github.com/noahbliss/mortar)

There are tools that look to be able to automate it: https://github.com/noahbliss/mortar/blob/master/docs/proxmox-install.md

I just went through the process of setting up new ubuntu VM's using full root disk LUKS encryption and auto-unlock via Proxmox's vTPM2.0 and UEFI ( via this extremely helpful resource https://github.com/noahbliss/mortar )

I have used this project with Debian+proxmox and it's been working great. https://github.com/noahbliss/mortar but I did read the arch wiki a bit which helped my understanding.

There's a project called "mortar" (as in, gluing all these bricks together) that was attempting to simplify this. Though it's lost steam, reading through it's simple bash scripts was a great place to start for me. This guide for Fedora also helped a lot.

There have been a number of attempts to solve this problem, but the most complete appear to be Mortar (a project I head) and safeboot.dev

I highly recommend taking a look at either of these projects if you want be able to improve both your convenience through auto unlocking, and security through broadened scope of audit.

https://github.com/noahbliss/mortar

https://safeboot.dev

Check out mortar. It uses secure boot and TPM along with LUKS. The creator is super helpful and available on the telegram.

A more advanced approach would be something like mortar to chain-load signed stuff.

There seems to be a workable solution out there for 2.0: https://github.com/noahbliss/mortar/blob/master/docs/proxmox-install.md

u/Richard__M I am not sure how much you've dug into the architecture of Mortar, but TL;DR it bypasses grub entirely. A friend of mine developed Snawoot/linux-secureboot-kit which leverages grub's GPG capabilities to essentially daisy-chain trust and accomplish the same thing, but ran into frustrations with broken implementations of the feature with some distributions (*ahem* debian). In my opinion, chaining trust also introduces complexity which case lead to security vulnerabilities both from the software being chained, and through "oops" coding trying to get them to play nicely.