LUKS Disk Encryption â
@ref: https://pioto.org/blog/2022/03/linux-disk-encryption-in-2022.html
TIP
Clevis is simpler and newer than systemd-cryptenroll.
Method 1: systemd-cryptenroll â
I found a fedora-users mailing list post that gave me the most succinct version of things to get working. Key takeaways:
- Use systemd-cryptenroll --tpm2-device=auto -tpm2-pcrs=0+7 /dev/$DEVICE to enroll an additional token to unlock the LUKS volume. In my case, $DEVICE was /dev/nvme0n1p3, but your mileage may vary. This would be the block device backing your LUKS volume. lsblk should make it clear.
- Edit /etc/crypttab, and change the end of the one line (starting with luks-$UUID) to tpm2-device=auto,discard
- Until Fedora uses Dracut 056 (see #1976462), you need to create a file called
/etc/dracut.conf.d/tss2.conf, with this in it:
install_optional_items+=" /usr/lib64/libtss2* /usr/lib64/libfido2.so.* "then run sudo dracut -f
Reboot, and enjoy a fancy secure boot experience!
Examples Check tpm device
systemd-cryptenroll --tpm2-device=listsystemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 /dev/sda5or
systemd-cryptenroll --tpm2-device=/dev/tpm0 --tpm2-pcrs=0+7 /dev/sda5Add recovery key
systemd-cryptenroll --recovery-key /dev/sda5Remove specific key from keyslot
systemd-cryptenroll /dev/sdX --wipe-slot=slot_numberRemove all TPM-associated keys from LUKS volume
systemd-cryptenroll /dev/sdX --wipe-slot=tpm2Method 2: Clevis â
apt install clevisEncrypt data using TPM
$ clevis encrypt tpm2 '{}' <<< 'hello, world'
eyJhbGciOiJkaXIiLCJjbGV2aXMiOnsicGluIjoidHBtMiIsInRwbTIiOnsiaGFzaCI6InNoYTI1NiIsImp3a19wcml2IjoiQU80QUlJQkxxT3FVenVDU1FmWkprNmdDN2wzMW43V3M2Y2FZd0VZS1BSR3Q0OHJEQUJBV2Z4M3pTUUNUTmtHZE9BM2FZd2RTZk9GcXZWdnVlQ3lPamFsWldCT2R4RlJKSzl5ZVRCM0pkNFktcF9HalhhNmlnLWxxNmtmMHZTWWkzOWMxVEpES1RYRVZTdnlXSlpEbGdxQ0JPMVNxeGJBd2tfSnIyRlRNY3hvNGtpSmNtMEVjbWd5dFdyME00QmcySlg4aVo3MEt1MTVjNzFORU5Ra3RjdGMtREhBVGFQcHJ2VzI2Z3d1YmUxckRfX19aV2tHaG9mX053M0M1OHlOcXF2RUpPZUwzNTZHNXJHNVVtYmUtWWV4Ujl2SEppZWlua3ZaNTJoMFVRYWVNSm9LYjJuNjlVTGZHb2J1NElTN20iLCJqd2tfcHViIjoiQUM0QUNBQUxBQUFFMGdBQUFCQUFJQ2poWDBVeTJKZVpSNU9pRU0ySktSeEtnUElYQ3dGNnRNR09NTDZ0ZnE5aiIsImtleSI6ImVjYyJ9fSwiZW5jIjoiQTI1NkdDTSJ9..1P2Emag_4k-GlhyY.MuQQYPa8QHrysZ74uA.0ddDxfZA3R-cCmaKu5yUZAThis long base64-encoded message is our text encrypted with an internal TPM key. It can be decrypted at the current computer only. Trying to decrypt it from another computer (or rather with another TPM chip) will return an error.
Bind to LUKS partition
clevis luks bind -d /dev/nvme0n1p2 tpm2 '{}'Optionally to bind to specific TPM PCR
clevis luks bind -d /dev/nvme0n1p2 tpm2 '{"pcr_ids":"1,7"}'Check
# cryptsetup luksDump /dev/nvme0n1p2
...
Tokens:
0: clevis
Keyslot: 1
...Regenerate key
clevis luks regen -d /dev/sdX -s keyslotRemove clevis binding
clevis luks unbind -d /dev/sdX -s keyslotUnlock TPM-bound volume
clevis luks unlock -d /dev/sdXIt shows that one clevis token appeared. LUKS uses these tokens to store metadata about passwords stored somewhere else (e.g. at TPM chip).