-
Notifications
You must be signed in to change notification settings - Fork 0
Security
Rex Ackermann edited this page Dec 7, 2025
·
1 revision
Linux Hello supports TPM 2.0 for securing the encryption key used to protect your biometric data.
-
Detection: On startup, the system checks for
/dev/tpm0andtpm2-tools. -
Storage: If available, the master encryption key (Fernet 256-bit) is stored in the TPM NV RAM (Index
0x1500000). -
Fallback: If TPM is not available, the key is stored in
~/.local/share/face-auth/.encryption_keywith strict0600permissions.
Install the required tools:
-
Fedora:
sudo dnf install tpm2-tools -
Ubuntu/Debian:
sudo apt install tpm2-tools -
Arch:
sudo pacman -S tpm2-tools
No configuration is needed; Linux Hello will auto-detect and migrate if possible (migration logic depends on current implementation version).
-
Face Data: 128-dimensional face embeddings are stored in
sqlite. - Encryption: The embedding vector blobs are encrypted using Fernet (AES-128-CBC + HMAC-SHA256).
- Privacy: No raw images of your face are stored.
Face recognition is convenient but not perfect.
- Spoofing: Standard 2D cameras can be fooled by high-quality photos or screens.
-
Liveness: Experimental liveness detection is available (
require_liveness: truein config) helping mitigate this, but it may impact convenience. - Fallback: Always ensure you have a strong password.
Recommendation: Use the balanced or secure security modes in config.yaml.