LUKS Disk Encryption â
@ref: https://pioto.org/blog/2022/03/linux-disk-encryption-in-2022.html
TIP
Clevis is simpler and newer than systemd-cryptenroll.
Method 1: systemd-cryptenroll â
I found a fedora-users mailing list post that gave me the most succinct version of things to get working. Key takeaways:
- Use systemd-cryptenroll --tpm2-device=auto -tpm2-pcrs=0+7 /dev/$DEVICE to enroll an additional token to unlock the LUKS volume. In my case, $DEVICE was /dev/nvme0n1p3, but your mileage may vary. This would be the block device backing your LUKS volume. lsblk should make it clear.
- Edit /etc/crypttab, and change the end of the one line (starting with luks-$UUID) to tpm2-device=auto,discard
- Until Fedora uses Dracut 056 (see #1976462), you need to create a file called
/etc/dracut.conf.d/tss2.conf
, with this in it:
install_optional_items+=" /usr/lib64/libtss2* /usr/lib64/libfido2.so.* "
then run sudo dracut -f
Reboot, and enjoy a fancy secure boot experience!
Examples Check tpm device
systemd-cryptenroll --tpm2-device=list
systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 /dev/sda5
or
systemd-cryptenroll --tpm2-device=/dev/tpm0 --tpm2-pcrs=0+7 /dev/sda5
Add recovery key
systemd-cryptenroll --recovery-key /dev/sda5
Remove specific key from keyslot
systemd-cryptenroll /dev/sdX --wipe-slot=slot_number
Remove all TPM-associated keys from LUKS volume
systemd-cryptenroll /dev/sdX --wipe-slot=tpm2
Method 2: Clevis â
apt install clevis
Encrypt data using TPM
$ clevis encrypt tpm2 '{}' <<< 'hello, world'
eyJhbGciOiJkaXIiLCJjbGV2aXMiOnsicGluIjoidHBtMiIsInRwbTIiOnsiaGFzaCI6InNoYTI1NiIsImp3a19wcml2IjoiQU80QUlJQkxxT3FVenVDU1FmWkprNmdDN2wzMW43V3M2Y2FZd0VZS1BSR3Q0OHJEQUJBV2Z4M3pTUUNUTmtHZE9BM2FZd2RTZk9GcXZWdnVlQ3lPamFsWldCT2R4RlJKSzl5ZVRCM0pkNFktcF9HalhhNmlnLWxxNmtmMHZTWWkzOWMxVEpES1RYRVZTdnlXSlpEbGdxQ0JPMVNxeGJBd2tfSnIyRlRNY3hvNGtpSmNtMEVjbWd5dFdyME00QmcySlg4aVo3MEt1MTVjNzFORU5Ra3RjdGMtREhBVGFQcHJ2VzI2Z3d1YmUxckRfX19aV2tHaG9mX053M0M1OHlOcXF2RUpPZUwzNTZHNXJHNVVtYmUtWWV4Ujl2SEppZWlua3ZaNTJoMFVRYWVNSm9LYjJuNjlVTGZHb2J1NElTN20iLCJqd2tfcHViIjoiQUM0QUNBQUxBQUFFMGdBQUFCQUFJQ2poWDBVeTJKZVpSNU9pRU0ySktSeEtnUElYQ3dGNnRNR09NTDZ0ZnE5aiIsImtleSI6ImVjYyJ9fSwiZW5jIjoiQTI1NkdDTSJ9..1P2Emag_4k-GlhyY.MuQQYPa8QHrysZ74uA.0ddDxfZA3R-cCmaKu5yUZA
This long base64-encoded message is our text encrypted with an internal TPM key. It can be decrypted at the current computer only. Trying to decrypt it from another computer (or rather with another TPM chip) will return an error.
Bind to LUKS partition
clevis luks bind -d /dev/nvme0n1p2 tpm2 '{}'
Optionally to bind to specific TPM PCR
clevis luks bind -d /dev/nvme0n1p2 tpm2 '{"pcr_ids":"1,7"}'
Check
# cryptsetup luksDump /dev/nvme0n1p2
...
Tokens:
0: clevis
Keyslot: 1
...
Regenerate key
clevis luks regen -d /dev/sdX -s keyslot
Remove clevis binding
clevis luks unbind -d /dev/sdX -s keyslot
Unlock TPM-bound volume
clevis luks unlock -d /dev/sdX
It shows that one clevis token appeared. LUKS uses these tokens to store metadata about passwords stored somewhere else (e.g. at TPM chip).