Changes

Jump to: navigation, search

Linux: Full Disk Encryption

2,206 bytes added, 10:12, 20 May 2020
/* List of tested devices */
The guide was tested on a system with the specs listed below, but should be easily adaptable.
* Device: fitlet2* OS: Debian GNU/Linux testing (buster)* ISO: debian-buster-DI-rc2-amd64-netinst.iso* Kernel: 4.19.0-5-amd64* BIOS: 09/17/2018 American Megatrends Inc. FLT2.0.46.01.00* TPM: Firmware based TPM 2.0 implementation (fTPM) Clevis: 11-2  Device: fitlet2 OS: Debian GNU/Linux bullseye ISO: debian-bullseye-DI-rc2-amd64-netinst.iso Kernel: 5.6.0-1-amd64 BIOS: 09/17/2018 American Megatrends Inc. FLT2.0.46.01.00 TPM: Firmware based TPM 2.0 implementation (fTPM) Clevis: 13-1
== Installation ==
Password:
$ apt install clevis-tpm2 clevis-luks clevis-dracut
 
* NOTE: current version of clevis-dracut (11-2) requires patch to work correctly in Debian:
<pre>
--- /usr/lib/dracut/modules.d/60clevis/module-setup.sh.orig 2019-03-01 12:37:24.000000000 +0200
+++ /usr/lib/dracut/modules.d/60clevis/module-setup.sh 2019-07-01 13:47:48.341990143 +0300
@@ -36,9 +36,7 @@
inst_hook initqueue/settled 60 "$moddir/clevis-hook.sh"
inst_multiple /etc/services \
- clevis-decrypt-http \
- clevis-decrypt-tang \
- clevis-decrypt-sss \
+ cryptsetup \
/usr/lib/x86_64-linux-gnu/clevis-luks-askpass \
clevis-decrypt \
luksmeta \
@@ -46,11 +44,16 @@
mktemp \
curl \
jose \
- socat
+ socat \
+ /usr/lib/x86_64-linux-gnu/libtss2-tcti-device.so.0 \
+ /usr/lib/x86_64-linux-gnu/libtss2-tcti-device.so.0.0.0 \
+ /usr/lib/x86_64-linux-gnu/libtss2-tcti-mssim.so.0 \
+ /usr/lib/x86_64-linux-gnu/libtss2-tcti-mssim.so.0.0.0
for cmd in clevis-decrypt-tpm2 \
tpm2_createprimary \
tpm2_unseal \
+ tpm2_pcrlist \
tpm2_load; do
if ! find_binary "$cmd" &>/dev/null; then
@@ -62,6 +65,7 @@
inst_multiple clevis-decrypt-tpm2 \
tpm2_createprimary \
tpm2_unseal \
+ tpm2_pcrlist \
tpm2_load
fi
</pre>
* Download and apply the patch:
$ wget https://fit-iot.com/files/download/fitlet2/sw/tools/Linux-ftpm2.0/module-setup.sh.diff
$ patch -p1 /usr/lib/dracut/modules.d/60clevis/module-setup.sh module-setup.sh.diff
* Regenerate the iniramfs image with clevis modules to decrypt the root filesystem during early boot. You need to do this once:
$ dracut -f /boot/initrd.img-$(uname -r)
 
* Test the TPM encryption module, the following example encrypts the words “Hello World!” and writes them to test.txt. Give it a try!
$ echo Hello World! | clevis encrypt tpm2 '{}' > test.txt
# Review information about the cryptographic setup again, check if the new key has been written to the LUKS volume:
$ cryptsetup luksDump /dev/sda3
 
* Restart your machine, encrypted disk will be decrypted automatically and you will reach the login prompt
$ reboot
 
== See also ==
* Original article: [https://techrevelations.de/2019/02/04/tpm-encryption-in-fedora-linux/ TPM Encryption in Fedora]
<br>
 
[[category:software]]
[[category:Application notes]]
[[category:fitlet2]]
Denis
425
edits
Retrieved from "https://fit-pc.com/wiki/index.php?title=Special:MobileDiff/7254...7944"