A report from the 2022 Image-Based Linux Summit

Posted Nov 4, 2022 9:52 UTC (Fri) by bluca (subscriber, #118303)
In reply to: A report from the 2022 Image-Based Linux Summit by NHO
Parent article: A report from the 2022 Image-Based Linux Summit

systemd-cryptsetup/cryptenroll support recovery keys (even as a QR code! It's really cool, you should try it out) that can be used as additional slots in LUKS, so offline recovery is possible and as easy as it can be made.

There is no such "legal problem", this scare story has been around for 20 years since UEFI first arrived, and guess what, it never happened, because it does not make any sense. The UEFI spec mandates that the machine owner, with verified physical presence at the keyboard, can swap the keys.

A report from the 2022 Image-Based Linux Summit

Posted Nov 4, 2022 11:34 UTC (Fri) by aragilar (subscriber, #122569) [Link] (1 responses)

I may have misunderstood something, but is not https://mjg59.dreamwidth.org/59931.html an example?

A report from the 2022 Image-Based Linux Summit

Posted Nov 4, 2022 11:42 UTC (Fri) by bluca (subscriber, #118303) [Link]

No, there's an option in that bios to turn the 3rd party UEFI cert back on, and the usual option to wipe the lists of certs and enroll your own.
Of course the user experience given by the default settings sucks, and it is being worked on. But it has nothing to do with this.