Ubuntu to add TPM-backed full-disk encryption

Posted Sep 8, 2023 1:04 UTC (Fri) by geofft (subscriber, #59789)
In reply to: Ubuntu to add TPM-backed full-disk encryption by smoogen
Parent article: Ubuntu to add TPM-backed full-disk encryption

So, I'm comparing that with the team of folks at my last job (a team I was also on) who put Debian packages together when people needed stuff that wasn't packaged or wasn't at the right version. We also prevented most people from having root there, and this also served to ensure that people weren't creating irreproducible machines - but the cost was that people basically couldn't try out any software at all without our involvement.

What I'm advocating for is a system where the team that officially maintains your computers, no matter how big or small that team is, doesn't feel like they have to choose between blocking short-term productivity or creating long-term risk. There usually will be a few people who know enough to install software and cobble things together even if that isn't their job on paper (and they therefore don't have root). Give them the ability to cobble things together, but also ensure their cobbling is recorded somewhere, and isn't just some hackery in their home directory. And if that team is one person, or even zero, there's still a way forward.

And I'm also posting this not to boast about our in-house system but to lament that we had to build one (and did not open source it). I think it might be relatively close to possible to get there with Nix these days, though it's both a fairly steep learning curve as well as an involved conversion from basically any existing system. I think there could be really good FOSS tools for this. I think these tools could be good enough that the average home user - who by definition has a corporate sysadmin staff of zero - can get their setup for installing the right graphics drivers and workarounds recorded in exactly the same way.

I think we (the FOSS community) actually sort of lost our lead: up until maybe the early '00s, Windows and Mac users basically did not have privilege separation at all, and were running everything as effectively root. Installing stuff was just copying files, uninstalling was hoping for the best, and "DLL hell" was a Windows problem. The Linux distros and the BSDs were the ones who said, even if this is your personal computer, run as a non-admin user and use well-defined packaging systems. Now, as another commenter alluded to, Windows and Mac OS have moved towards a model where the OS is read-only, applications are in their own private directories (and often sandboxed), and it is absolutely possible to restore the state of a Windows or Mac machine just by restoring user-level files and config. We haven't kept up, and I would bet there is much more "DLL hell" in practice on Linux machines than Windows ones today.

A few projects like NixOS and Spack are going in the right direction for specific use cases, but they're not commonplace. The Ubuntus and Fedoras of the world should do this too - and in a way that empowers users to try stuff out as opposed to just locking them out of the system and indeed makes them more confident about trying things that might not work.

Ubuntu to add TPM-backed full-disk encryption

Posted Sep 8, 2023 11:57 UTC (Fri) by smoogen (subscriber, #97) [Link]

I can say that Windows restores only work if the user and the applications install things in a way which can be 'restored' easily. I ran into this with my son's laptop recently where half of the apps were 'partially' restored. Parts of them were in user directories which onedrive caught and the other half were in places not normally backed up. Removing and reinstalling was not easily possible because the parts which did that were the bits not backed up. The registry keys were there so I couldn't easily reinstall as it kept complaining there was an existing thing there.

I expect that if I were a full time Windows admin I would have been able to get around this but I am not so it ended up being a reinstall from scratch . Having this happen now with 3 times this year, I really should learn

I have been impressed with the Mac on this because it does seem that time machine and other things will allow for most things to be restorable and comparable. It is what I consider the killer app for self-administration as it has solved a lot of little issues. Its not perfect, but it is a lot better than anything I have dealt with recently on Linux or Windows.

Also I didn't take your comments as bragging. I took them as 'this is possible' which can be helpful for us sysadmins who tend to get in a rut and also think nothing can be better than the pig sty we live in :)