-
Notifications
You must be signed in to change notification settings - Fork 3
Full Disk Encryption
Make sure that TPM2 (Trusted Platform Module, Trusted Computing, Security Device, ...) is enabled in UEFI. Also check if it's detected by the OS:
$ dmesg | grep -i tpm
[ 1.438823] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0x1A, rev-id 16)
Verify that it's a TPM2 device, 1.2 or below will not work.
Boot into Linux, and find the encrypted disk's device name:
lsblk --fs | grep crypto_LUKS
Then bind LUKS to the TPM2 module. Example (change the device name accordingly):
sudo clevis luks bind -d /dev/nvme0n1p3 tpm2 '{"pcr_ids":"7"}'
If you receive the following warning, just accept it with y:
You are about to initialize a LUKS device for metadata storage.
Attempting to initialize it may result in data loss if data was
already written into the LUKS header gap in a different format.
A backup is advised before initialization is performed.
Do you wish to initialize /dev/nvme0n1p3? [yn] y
Then apply the changes to the initrd:
sudo update-initramfs -c -k all
If something goes wrong with the bind, e.g. automatic unlock doesn't happen during boot, find out which LUKS slots are occupied:
sudo cryptsetup luksDump /dev/nvme0n1p3
Slot 0 is used during install, so slot 1 is usually the one used by Clevis. Perform the unbind with (change the slot ID accordingly):
sudo clevis luks unbind -d /dev/nvme0n1p3 -s 1
sudo cryptsetup luksKillSlot /dev/nvme0n1p3 1
If the computer has wired connectivity, set up a Tang server and use that for network unlock:
sudo clevis luks bind -d /dev/nvme0n1p3 tang '{"url": "http://tang.foobar.com"}'
sudo update-initramfs -c -k all
If wired networking is not an option, you need to add a manual key to the device, e.g.:
sudo cryptsetup luksAddKey /dev/nvme0n1p3