On Thu, Dec 01, 2016 at 07:27:52AM -0800,
mariog...@gmail.com wrote:
> In my opinion this feature would be a good idea to be implemented.
> [...]
>
https://github.com/dracutdevs/dracut/pull/80
I have something similar working with my Heads bootloader -- it unseals
and decrypts the keys with either the TPM or a GPG card and inserts
them into the initrd for the Qubes dom0, but am hesitant about the
smartcard support since this expands the attack surface of the early
runtime environment to have USB device drivers loaded.
Something that I would really like to figure out how to make work is to
have the S3 resume script retrieve keys from the TPM or GPG card so that
the kernel can dump the disk keys before going to sleep.
--
Trammell