Difference between revisions of "Linux: Full Disk Encryption"
From fit-PC wiki
(→List of tested devices) (change visibility) |
(→List of tested devices) (change visibility) |
||
(10 intermediate revisions by the same user not shown) | |||
Line 10: | Line 10: | ||
The guide was tested on a system with the specs listed below, but should be easily adaptable. | The guide was tested on a system with the specs listed below, but should be easily adaptable. | ||
− | + | Device: fitlet2 | |
− | + | OS: Debian GNU/Linux buster | |
− | + | ISO: debian-buster-DI-rc2-amd64-netinst.iso | |
− | + | Kernel: 4.19.0-5-amd64 | |
− | + | BIOS: 09/17/2018 American Megatrends Inc. FLT2.0.46.01.00 | |
− | + | TPM: Firmware based TPM 2.0 implementation (fTPM) | |
+ | Clevis: 11-2 | ||
+ | |||
+ | Device: fitlet2 | ||
+ | OS: Debian GNU/Linux bullseye | ||
+ | ISO: debian-bullseye-DI-rc2-amd64-netinst.iso | ||
+ | Kernel: 5.6.0-1-amd64 | ||
+ | BIOS: 09/17/2018 American Megatrends Inc. FLT2.0.46.01.00 | ||
+ | TPM: Firmware based TPM 2.0 implementation (fTPM) | ||
+ | Clevis: 13-1 | ||
== Installation == | == Installation == | ||
Line 22: | Line 31: | ||
** Automatic - select "Guided - use entire disk and set up encrypted LVM" | ** Automatic - select "Guided - use entire disk and set up encrypted LVM" | ||
*** Partitions scheme will be defined automatically | *** Partitions scheme will be defined automatically | ||
− | *** You will be asked | + | *** You will be asked to enter passphrase for encryption |
** Manual (advanced) , for example: | ** Manual (advanced) , for example: | ||
*** #1, size 200.0 MB, use as "EFI System Partition" | *** #1, size 200.0 MB, use as "EFI System Partition" | ||
Line 28: | Line 37: | ||
*** #3, size 3.0 GB, use as "physical volume for encryption" | *** #3, size 3.0 GB, use as "physical volume for encryption" | ||
*** Go to the "Configuring encrypted volumes" and select partition #3 as device to be encrypted | *** Go to the "Configuring encrypted volumes" and select partition #3 as device to be encrypted | ||
− | *** You will be asked to enter | + | *** You will be asked to enter passphrase for encryption |
*** In the "Partition disks" find new appeared encrypted volume #1, use it as "EXT4 journaling file system", mount point / | *** In the "Partition disks" find new appeared encrypted volume #1, use it as "EXT4 journaling file system", mount point / | ||
* Continue with package manager, software selection etc. | * Continue with package manager, software selection etc. | ||
Line 48: | Line 57: | ||
Password: | Password: | ||
$ apt install clevis-tpm2 clevis-luks clevis-dracut | $ apt install clevis-tpm2 clevis-luks clevis-dracut | ||
+ | |||
+ | * NOTE: current version of clevis-dracut (11-2) requires patch to work correctly in Debian: | ||
+ | <pre> | ||
+ | --- /usr/lib/dracut/modules.d/60clevis/module-setup.sh.orig 2019-03-01 12:37:24.000000000 +0200 | ||
+ | +++ /usr/lib/dracut/modules.d/60clevis/module-setup.sh 2019-07-01 13:47:48.341990143 +0300 | ||
+ | @@ -36,9 +36,7 @@ | ||
+ | inst_hook initqueue/settled 60 "$moddir/clevis-hook.sh" | ||
+ | |||
+ | inst_multiple /etc/services \ | ||
+ | - clevis-decrypt-http \ | ||
+ | - clevis-decrypt-tang \ | ||
+ | - clevis-decrypt-sss \ | ||
+ | + cryptsetup \ | ||
+ | /usr/lib/x86_64-linux-gnu/clevis-luks-askpass \ | ||
+ | clevis-decrypt \ | ||
+ | luksmeta \ | ||
+ | @@ -46,11 +44,16 @@ | ||
+ | mktemp \ | ||
+ | curl \ | ||
+ | jose \ | ||
+ | - socat | ||
+ | + socat \ | ||
+ | + /usr/lib/x86_64-linux-gnu/libtss2-tcti-device.so.0 \ | ||
+ | + /usr/lib/x86_64-linux-gnu/libtss2-tcti-device.so.0.0.0 \ | ||
+ | + /usr/lib/x86_64-linux-gnu/libtss2-tcti-mssim.so.0 \ | ||
+ | + /usr/lib/x86_64-linux-gnu/libtss2-tcti-mssim.so.0.0.0 | ||
+ | |||
+ | for cmd in clevis-decrypt-tpm2 \ | ||
+ | tpm2_createprimary \ | ||
+ | tpm2_unseal \ | ||
+ | + tpm2_pcrlist \ | ||
+ | tpm2_load; do | ||
+ | |||
+ | if ! find_binary "$cmd" &>/dev/null; then | ||
+ | @@ -62,6 +65,7 @@ | ||
+ | inst_multiple clevis-decrypt-tpm2 \ | ||
+ | tpm2_createprimary \ | ||
+ | tpm2_unseal \ | ||
+ | + tpm2_pcrlist \ | ||
+ | tpm2_load | ||
+ | fi | ||
+ | </pre> | ||
+ | * Download and apply the patch: | ||
+ | $ wget https://fit-iot.com/files/download/fitlet2/sw/tools/Linux-ftpm2.0/module-setup.sh.diff | ||
+ | $ patch -p1 /usr/lib/dracut/modules.d/60clevis/module-setup.sh module-setup.sh.diff | ||
+ | * Regenerate the iniramfs image with clevis modules to decrypt the root filesystem during early boot. You need to do this once: | ||
+ | $ dracut -f /boot/initrd.img-$(uname -r) | ||
+ | |||
* Test the TPM encryption module, the following example encrypts the words “Hello World!” and writes them to test.txt. Give it a try! | * Test the TPM encryption module, the following example encrypts the words “Hello World!” and writes them to test.txt. Give it a try! | ||
$ echo Hello World! | clevis encrypt tpm2 '{}' > test.txt | $ echo Hello World! | clevis encrypt tpm2 '{}' > test.txt | ||
$ cat test.txt | $ cat test.txt | ||
+ | eyJhbGciOiJkaXIiLCJjbGV2aXMiOnsicGluIjoidHBtMiIsInRwbTIiOnsiaGFzaCI6InNoYTI | ||
+ | ... | ||
$ cat test.txt | clevis decrypt tpm2 | $ cat test.txt | clevis decrypt tpm2 | ||
Hello World! | Hello World! | ||
− | * | + | * Bind master key generated by TPM to the LUKS volume. For this there is a specific set of Platform Configuration Registers (PCR) called PCR7. |
− | # | + | # Review information about the cryptographic setup of encrypted partition: |
$ cryptsetup luksDump /dev/sda3 | $ cryptsetup luksDump /dev/sda3 | ||
+ | |||
+ | $ clevis luks bind -d /dev/sda3 tpm2 '{"pcr_ids":"7"}' | ||
+ | Enter existing LUKS password: ****** | ||
+ | |||
+ | # Review information about the cryptographic setup again, check if the new key has been written to the LUKS volume: | ||
+ | $ cryptsetup luksDump /dev/sda3 | ||
+ | |||
+ | * Restart your machine, encrypted disk will be decrypted automatically and you will reach the login prompt | ||
+ | $ reboot | ||
+ | |||
+ | == See also == | ||
+ | * Original article: [https://techrevelations.de/2019/02/04/tpm-encryption-in-fedora-linux/ TPM Encryption in Fedora] | ||
+ | <br> | ||
+ | |||
+ | [[category:software]] | ||
+ | [[category:Application notes]] | ||
+ | [[category:fitlet2]] |
Latest revision as of 10:12, 20 May 2020
Overview
The idea is to encrypt a partition with root filesystem using LUKS and store the keys in the TPM.
During boot user does not have to enter a decryption password, partition will be automatically decrypted using the keys from TPM.
It's a open-source alternative to Windows BitLocker.
- LUKS (Linux Unified Key Setup) - is a full volume encryption feature, the standard for Linux hard disk encryption
- TPM (Trusted Platform Module) - is dedicated micro-controller designed to secure hardware through integrated cryptographic keys
List of tested devices
The guide was tested on a system with the specs listed below, but should be easily adaptable.
Device: fitlet2 OS: Debian GNU/Linux buster ISO: debian-buster-DI-rc2-amd64-netinst.iso Kernel: 4.19.0-5-amd64 BIOS: 09/17/2018 American Megatrends Inc. FLT2.0.46.01.00 TPM: Firmware based TPM 2.0 implementation (fTPM) Clevis: 11-2
Device: fitlet2 OS: Debian GNU/Linux bullseye ISO: debian-bullseye-DI-rc2-amd64-netinst.iso Kernel: 5.6.0-1-amd64 BIOS: 09/17/2018 American Megatrends Inc. FLT2.0.46.01.00 TPM: Firmware based TPM 2.0 implementation (fTPM) Clevis: 13-1
Installation
- Follow the standard installation procedure - choose timezone, hostname, username, password etc.
- In the "Partition disks" dialog you can choose automatic or manual partitioning scheme
- Automatic - select "Guided - use entire disk and set up encrypted LVM"
- Partitions scheme will be defined automatically
- You will be asked to enter passphrase for encryption
- Manual (advanced) , for example:
- #1, size 200.0 MB, use as "EFI System Partition"
- #2, size 300.0 MB, use as "EXT4 journaling file system", mount point /boot
- #3, size 3.0 GB, use as "physical volume for encryption"
- Go to the "Configuring encrypted volumes" and select partition #3 as device to be encrypted
- You will be asked to enter passphrase for encryption
- In the "Partition disks" find new appeared encrypted volume #1, use it as "EXT4 journaling file system", mount point /
- Automatic - select "Guided - use entire disk and set up encrypted LVM"
- Continue with package manager, software selection etc.
- Disconnect the installation media and reboot
- You will be asked for passphrase of encrypted disk, enter it manually, then boot process will continue
- Login using previously selected username and password.
- NOTE: The PATH definition in the /etc/profile should be fixed:
# /etc/profile: system-wide .profile file for the Bourne shell (sh(1)) # and Bourne compatible shells (bash(1), ksh(1), ash(1), ...). PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" export PATH ...
Automated Decryption
- Clevis is a framework for automated decryption of data or automated unlocking of LUKS volumes.
$ su Password: $ apt install clevis-tpm2 clevis-luks clevis-dracut
- NOTE: current version of clevis-dracut (11-2) requires patch to work correctly in Debian:
--- /usr/lib/dracut/modules.d/60clevis/module-setup.sh.orig 2019-03-01 12:37:24.000000000 +0200 +++ /usr/lib/dracut/modules.d/60clevis/module-setup.sh 2019-07-01 13:47:48.341990143 +0300 @@ -36,9 +36,7 @@ inst_hook initqueue/settled 60 "$moddir/clevis-hook.sh" inst_multiple /etc/services \ - clevis-decrypt-http \ - clevis-decrypt-tang \ - clevis-decrypt-sss \ + cryptsetup \ /usr/lib/x86_64-linux-gnu/clevis-luks-askpass \ clevis-decrypt \ luksmeta \ @@ -46,11 +44,16 @@ mktemp \ curl \ jose \ - socat + socat \ + /usr/lib/x86_64-linux-gnu/libtss2-tcti-device.so.0 \ + /usr/lib/x86_64-linux-gnu/libtss2-tcti-device.so.0.0.0 \ + /usr/lib/x86_64-linux-gnu/libtss2-tcti-mssim.so.0 \ + /usr/lib/x86_64-linux-gnu/libtss2-tcti-mssim.so.0.0.0 for cmd in clevis-decrypt-tpm2 \ tpm2_createprimary \ tpm2_unseal \ + tpm2_pcrlist \ tpm2_load; do if ! find_binary "$cmd" &>/dev/null; then @@ -62,6 +65,7 @@ inst_multiple clevis-decrypt-tpm2 \ tpm2_createprimary \ tpm2_unseal \ + tpm2_pcrlist \ tpm2_load fi
- Download and apply the patch:
$ wget https://fit-iot.com/files/download/fitlet2/sw/tools/Linux-ftpm2.0/module-setup.sh.diff $ patch -p1 /usr/lib/dracut/modules.d/60clevis/module-setup.sh module-setup.sh.diff
- Regenerate the iniramfs image with clevis modules to decrypt the root filesystem during early boot. You need to do this once:
$ dracut -f /boot/initrd.img-$(uname -r)
- Test the TPM encryption module, the following example encrypts the words “Hello World!” and writes them to test.txt. Give it a try!
$ echo Hello World! | clevis encrypt tpm2 '{}' > test.txt $ cat test.txt eyJhbGciOiJkaXIiLCJjbGV2aXMiOnsicGluIjoidHBtMiIsInRwbTIiOnsiaGFzaCI6InNoYTI ... $ cat test.txt | clevis decrypt tpm2 Hello World!
- Bind master key generated by TPM to the LUKS volume. For this there is a specific set of Platform Configuration Registers (PCR) called PCR7.
# Review information about the cryptographic setup of encrypted partition: $ cryptsetup luksDump /dev/sda3 $ clevis luks bind -d /dev/sda3 tpm2 '{"pcr_ids":"7"}' Enter existing LUKS password: ****** # Review information about the cryptographic setup again, check if the new key has been written to the LUKS volume: $ cryptsetup luksDump /dev/sda3
- Restart your machine, encrypted disk will be decrypted automatically and you will reach the login prompt
$ reboot
See also
- Original article: TPM Encryption in Fedora