Do you wish to add disk encryption to the tpm?

Hey there!

I bought a new nv41 with heads 2.4.1 using nitrokey 3a mini for measured boot.
For reasons I did a factory reset as described in the documentation:


Everything works as described BUT after hitting enter for default boot i am asked by heads:

Do you wish to add disk encryption to the tpm

Do I?

This is not mentioned in the official decomentation for the start process:


In fact i haven’t found any information about what this actually means. (like in the heads documentation).

I would like to know what to do to set the nitrokey/heads to just check for integrity and switch to the disk encryption window. As discribed in the official documentation:

Could it be that the documentation is outdated?

Also the same documentation is describing how to change the pins of the key using the nitrokey App. But only for nitrokey storage?! What if i have a nitrokey mini?

"The user PIN is at least 6-digits long and is used to get access to the content of the Nitrokey. This is the PIN you will use a lot in every day use e.g. for decrypting messages, for unlocking your encrypted storage (NK Storage only) etc.

You can change the user PIN with the Nitrokey App if using a Nitrokey Pro or Nitrokey Storage. In the Nitrokey App open ‘Menu → Configure → Change User PIN’ to open the dialog to change the PIN."

Happy to get advice!

Also, got a 422 Error for posting doc-links :slight_smile: :upside_down_face:

IIRC adding disk encryption to the TPM means storing your disk encryption password as a secret, so once you pass the HEADS integrity checks the disk is automatically unlocked using the password from the TPM and boot can kick off.

If you were running without heads this would be a decrease in security - it would protect against someone swiping your storage but not against someone swiping your laptop (coz they’d have the TPM as well in that case). It’s more reasonable w/ HEADS and a Nitrokey coz you need the integrity check and the key/PIN, so the disk password is largely superfluous (as long as you keep the key and PIN safe).

So you can decide the trade-off based on that:

  • don’t add the encryption passphrase to the TPM and type it yourself for mild annoyance and protection in the event of your key and pin being compromised,
  • or do add it, which means you skip the manual decryption but now have to ensure the safety of your key and PIN.

(Having just the key wouldn’t help an attacker as PIN attempts are rate-limited. Just don’t use 0000-0000. I don’t have a mini to hand to help with the latter question, sorry.)

Amazing! This is very helpful! Many thanks!