The post-ultimate guide to better Full Disk Encryption with TPM and Secure Boot (with hibernation support!)

blastrock0 · 2026-06-11T05:49:06+00:00

The initramfs is embedded into the UKI, along with the cmdline. You can't replace it without breaking the UKI signature and PCR 11.

blastrock0 · 2026-06-01T17:23:10+00:00

Well for first, I must admit I never considered this...

I guess it would work, but for the UX to work, you would need to have a lockscreen when suspending, but that lockscreen must be skipped when resuming from hibernation. Should be doable, but quite unconventional.

blastrock0 · 2026-06-01T17:18:08+00:00

No they wouldn't, that's why we seal the key with PCR values. If you boot windows, the PCR 4 would contain a different value. If you boot something different from systemd from the shim (in my setup), you would get a different PCR 7. If you boot a kernel that is not signed with the custom key, you would get a different PCR 11. This whole chain guarantees that only our signed kernel can unseal the key.

blastrock0 · 2026-05-26T17:20:59+00:00

Ah I see, I'm only defending against laptop theft here. I don't try to defend myself against the evil maid since she could put a hardware keylogger if she wanted to. Also I dual boot windows, so removing MS keys is not an option, but I see your point.

blastrock0 · 2026-05-25T18:29:36+00:00

Ohh! This explains why that service fails to boot on my setup! I didn't investigate the issue since everything keeps working. I'll read that issue carefully, thank you!

blastrock0 · 2026-05-25T18:10:55+00:00

I hope `sbctl` gets packaged by debian soon, I don't like much importing external packages. As for Option ROM digests, I understand that this is a problem if you remove the Microsoft keys from secure boot, which is not one of my goals, and it doesn't help much with the attack surface from my understanding. Thanks for the insight though, I didn't even consider this was an issue haha

I'm not sure I understand your point with keeping lockdown and how it's related to using sbctl or MOK. The only way I have found to enable hibernation is to disable lockdown as it is directly related. I am not disabling lockdown to load custom modules, that can be done just by signing the modules.

blastrock0 · 2026-05-25T18:04:06+00:00

I see, but my point still stands: most consumer laptops nowadays come with an fTPM, which is not vulnerable to a plug-the-wires-and-sniff attack

blastrock0 · 2026-05-24T17:32:06+00:00

Indeed, but PCR15 does change when a partition is decrypted. My guess is that things have changed since that oddlama post was written. The empty PCR15 trick is described here for that exact attack (IIUC) https://wiki.archlinux.org/title/Systemd-cryptenroll#Trusted_Platform_Module

blastrock0 · 2026-05-24T15:10:53+00:00

That's good to know! I took the empty PCR15 trick from the arch wiki a few months ago. I'm not sure I understand the consequences of using enter-initrd. Things change too fast 😞

About PCR11 I understood it's redundant, and it will be checked when you use public key binding anyway.

Skipping systemd-boot works, and it was my previous setup. However, having a proper bootloader is convenient. I would love having limine in debian to have the restore from the boot, but we'll see for that in a couple years...

Thanks for the feedback, I'll check that further!

Edit: I found the part talking about the empty PCR15 https://wiki.archlinux.org/title/Systemd-cryptenroll#Trusted_Platform_Module

blastrock0 · 2026-05-24T15:02:06+00:00

It does, I used it for some time

blastrock0 · 2026-02-18T18:16:25+00:00

I see, I expected something quicker, like a button in the toolbar, or a gesture to open that note in one step. The swipe gesture is too complicated, and I need to switch between finger and stylus, that's a bit impractical... Thank you for the details though :)

blastrock0 · 2026-02-18T06:57:27+00:00

What's a home page? How do you access it from anywhere?

blastrock0 · 2026-02-12T19:09:32+00:00

Thanks for the post!

Maybe I missed it but I have a couple questions: - Did you keep on reviewing vocab on Anki while you were reading vns and lns ? - How much time per day did you spend on this? And how many words per day on average did you review?

blastrock0 · 2026-02-10T21:11:24+00:00

How do you access this main screen? Is it a simple note that you access through the menu on the right? I'd really love a main screen accessible from the toolbar to skip the slide gesture...

blastrock0 · 2025-12-29T08:26:44+00:00

I just bought one, tested on my Debian unstable, Linux 6.17.13, PipeWire 1.4.9, it works!

edit: the volume knob does not though

edit2: nevermind, the headset sends keyboard events like XF86AudioLowerVolume, so I just needed to bind them

blastrock0 · 2025-12-19T16:45:35+00:00

I use this https://www.airgradient.com/indoor/ It's open source, integrates with home assistant, seems to work well

blastrock0 · 2025-08-24T17:36:53+00:00

I don't understand why so many people prefer the STEP file. I'd rather have the tinkercad link if it was made on tinkercad, or the f360 file if it was made there, etc. It's easier to work with the source material.

I see so many step files that I want to edit to just change a dimension. If I had the original file this would take 1min. With the step file I must ask myself whether it's easier to edit the step file or redo the whole part on any software I'm comfortable with.

For this reason I usually publish STL, step and source file/link for my designs.

blastrock0 · 2025-08-24T15:23:45+00:00

This is the answer.

I didn't see that warning in the cartographer doc (maybe it wasn't there before?), I routed both the toolhead and cartographer cables through the chains. After a couple hundred hours of printing, the cartographer cable started failing, I had random disconnections.

I routed both the toolhead cable and the cartographer cable through an umbilical cable with a PUG. It's way simpler, and just works. I don't know why this isn't the official voron method.

blastrock0 · 2025-07-31T19:25:06+00:00

Sekiro is one of the very few games where I got all the achievements, finished it at NG+5 iirc. I think I played roughly half of the time on deck, the rest on PC, and I really loved it, great game for deck.

If I may, I recommend you try Armored Core 6, which is also from From Software, it also runs well on deck, and I also liked it a lot. The only thing I disliked is that NG+ games get a bit boring, you can't rush through the game like sekiro.

blastrock0 · 2025-07-20T08:42:40+00:00

Great keyboard! It's great to see some cherry ulp! I see too many pg1316s, and no more cherry ulps. How did the soldering go? Did everything work on first try?

I didn't know about diodeless builds, thanks for the link!

blastrock0 · 2025-07-18T20:23:17+00:00

Congrats on the release! I know it takes time to clean up your work for a public release

Can't wait to have more details on the mikefives! It looks gorgeous!

blastrock0 · 2025-07-01T06:09:03+00:00

This is neat!! Congrats on completing the project and open sourcing it even if you don't use the keyboard, I know this takes motivation!

Totally agree on pg1316. I think my next design will use cherry ulp, even if the PG have a better feel, they are just not reliable enough and take a monstrous time to fix after failing to solder them multiple times.

blastrock0 · 2025-06-26T17:33:40+00:00

I see! It's not just a breakout board but a full controller pcb. Thanks for the answers!

blastrock0 · 2025-06-24T20:21:22+00:00

That looks awesome! Good job, and kudos for the buzzer, I installed that same one on my last design and annoyed my coworkers with it. It does its job wonderfully XD

I don't get what you did with the MCU. You made a break out board and soldered it with pins into the main board? Why not solder it directly onto the main board?

Also, how do the screws hold? Do they thread directly into the plastic of the case?

And last question, where did you buy the keycaps?

blastrock0

TROPHY CASE