== Overview ==
The idea is to encrypt a partition with root filesystem using LUKS and store the keys in the TPM.<br>
During boot user does not have to enter a decryption password, partition will be automatically decrypted using the keys from TPM.<br>
It's a open-source alternative to Windows BitLocker.
The guide was tested on a system with the specs listed below, but should be easily adaptable.
* Device: fitlet2* OS: Debian GNU/Linux testing (buster)* ISO: debian-buster-DI-rc2-amd64-netinst.iso* Kernel: 4.19.0-5-amd64* BIOS: 09/17/2018 American Megatrends Inc. FLT2.0.46.01.00* TPM: Firmware based TPM 2.0 implementation(fTPM) Clevis: 11-2 Device: fitlet2 OS: Debian GNU/Linux bullseye ISO: debian-bullseye-DI-rc2-amd64-netinst.iso Kernel: 5.6.0-1-amd64 BIOS: 09/17/2018 American Megatrends Inc. FLT2.0.46.01.00 TPM: Firmware based TPM 2.0 implementation (fTPM) Clevis: 13-1 == Installation ==* Follow the standard installation procedure - choose timezone, hostname, username, password etc.* In the "Partition disks" dialog you can choose automatic or manual partitioning scheme** Automatic - select "Guided - use entire disk and set up encrypted LVM"*** Partitions scheme will be defined automatically *** You will be asked to enter passphrase for encryption** Manual (advanced) , for example:*** #1, size 200.0 MB, use as "EFI System Partition"*** #2, size 300.0 MB, use as "EXT4 journaling file system", mount point /boot*** #3, size 3.0 GB, use as "physical volume for encryption"*** Go to the "Configuring encrypted volumes" and select partition #3 as device to be encrypted*** You will be asked to enter passphrase for encryption*** In the "Partition disks" find new appeared encrypted volume #1, use it as "EXT4 journaling file system", mount point /* Continue with package manager, software selection etc.* Disconnect the installation media and reboot* You will be asked for passphrase of encrypted disk, enter it manually, then boot process will continue* Login using previously selected username and password. * NOTE: The PATH definition in the /etc/profile should be fixed: # /etc/profile: system-wide .profile file for the Bourne shell (sh(1)) # and Bourne compatible shells (bash(1), ksh(1), ash(1), ...). PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" export PATH ... == Automated Decryption ==* Clevis is a framework for automated decryption of data or automated unlocking of LUKS volumes. $ su Password: $ apt install clevis-tpm2 clevis-luks clevis-dracut * NOTE: current version of clevis-dracut (11-2) requires patch to work correctly in Debian:<pre>--- /usr/lib/dracut/modules.d/60clevis/module-setup.sh.orig 2019-03-01 12:37:24.000000000 +0200+++ /usr/lib/dracut/modules.d/60clevis/module-setup.sh 2019-07-01 13:47:48.341990143 +0300@@ -36,9 +36,7 @@ inst_hook initqueue/settled 60 "$moddir/clevis-hook.sh" inst_multiple /etc/services \- clevis-decrypt-http \- clevis-decrypt-tang \- clevis-decrypt-sss \+ cryptsetup \ /usr/lib/x86_64-linux-gnu/clevis-luks-askpass \ clevis-decrypt \ luksmeta \@@ -46,11 +44,16 @@ mktemp \ curl \ jose \- socat+ socat \+ /usr/lib/x86_64-linux-gnu/libtss2-tcti-device.so.0 \+ /usr/lib/x86_64-linux-gnu/libtss2-tcti-device.so.0.0.0 \+ /usr/lib/x86_64-linux-gnu/libtss2-tcti-mssim.so.0 \+ /usr/lib/x86_64-linux-gnu/libtss2-tcti-mssim.so.0.0.0 for cmd in clevis-decrypt-tpm2 \ tpm2_createprimary \ tpm2_unseal \+ tpm2_pcrlist \ tpm2_load; do if ! find_binary "$cmd" &>/dev/null; then@@ -62,6 +65,7 @@ inst_multiple clevis-decrypt-tpm2 \ tpm2_createprimary \ tpm2_unseal \+ tpm2_pcrlist \ tpm2_load fi</pre>* Download and apply the patch: $ wget https://fit-iot.com/files/download/fitlet2/sw/tools/Linux-ftpm2.0/module-setup.sh.diff $ patch -p1 /usr/lib/dracut/modules.d/60clevis/module-setup.sh module-setup.sh.diff* Regenerate the iniramfs image with clevis modules to decrypt the root filesystem during early boot. You need to do this once: $ dracut -f /boot/initrd.img-$(uname -r) * Test the TPM encryption module, the following example encrypts the words “Hello World!” and writes them to test.txt. Give it a try! $ echo Hello World! | clevis encrypt tpm2 '{}' > test.txt $ cat test.txt eyJhbGciOiJkaXIiLCJjbGV2aXMiOnsicGluIjoidHBtMiIsInRwbTIiOnsiaGFzaCI6InNoYTI ... $ cat test.txt | clevis decrypt tpm2 Hello World!* Bind master key generated by TPM to the LUKS volume. For this there is a specific set of Platform Configuration Registers (PCR) called PCR7. # Review information about the cryptographic setup of encrypted partition: $ cryptsetup luksDump /dev/sda3 $ clevis luks bind -d /dev/sda3 tpm2 '{"pcr_ids":"7"}' Enter existing LUKS password: ****** # Review information about the cryptographic setup again, check if the new key has been written to the LUKS volume: $ cryptsetup luksDump /dev/sda3 * Restart your machine, encrypted disk will be decrypted automatically and you will reach the login prompt $ reboot == See also ==* Original article: [https://techrevelations.de/2019/02/04/tpm-encryption-in-fedora-linux/ TPM Encryption in Fedora]<br> [[category:software]][[category:Application notes]][[category:fitlet2]]
