Changes
/* List of tested devices */
The guide was tested on a system with the specs listed below, but should be easily adaptable.
== Installation ==
Password:
$ apt install clevis-tpm2 clevis-luks clevis-dracut
* NOTE: current version of clevis-dracut (11-2) requires patch to work correctly in Debian:
<pre>
--- /usr/lib/dracut/modules.d/60clevis/module-setup.sh.orig 2019-03-01 12:37:24.000000000 +0200
+++ /usr/lib/dracut/modules.d/60clevis/module-setup.sh 2019-07-01 13:47:48.341990143 +0300
@@ -36,9 +36,7 @@
inst_hook initqueue/settled 60 "$moddir/clevis-hook.sh"
inst_multiple /etc/services \
- clevis-decrypt-http \
- clevis-decrypt-tang \
- clevis-decrypt-sss \
+ cryptsetup \
/usr/lib/x86_64-linux-gnu/clevis-luks-askpass \
clevis-decrypt \
luksmeta \
@@ -46,11 +44,16 @@
mktemp \
curl \
jose \
- socat
+ socat \
+ /usr/lib/x86_64-linux-gnu/libtss2-tcti-device.so.0 \
+ /usr/lib/x86_64-linux-gnu/libtss2-tcti-device.so.0.0.0 \
+ /usr/lib/x86_64-linux-gnu/libtss2-tcti-mssim.so.0 \
+ /usr/lib/x86_64-linux-gnu/libtss2-tcti-mssim.so.0.0.0
for cmd in clevis-decrypt-tpm2 \
tpm2_createprimary \
tpm2_unseal \
+ tpm2_pcrlist \
tpm2_load; do
if ! find_binary "$cmd" &>/dev/null; then
@@ -62,6 +65,7 @@
inst_multiple clevis-decrypt-tpm2 \
tpm2_createprimary \
tpm2_unseal \
+ tpm2_pcrlist \
tpm2_load
fi
</pre>
* Download and apply the patch:
$ wget https://fit-iot.com/files/download/fitlet2/sw/tools/Linux-ftpm2.0/module-setup.sh.diff
$ patch -p1 /usr/lib/dracut/modules.d/60clevis/module-setup.sh module-setup.sh.diff
* Regenerate the iniramfs image with clevis modules to decrypt the root filesystem during early boot. You need to do this once:
$ dracut -f /boot/initrd.img-$(uname -r)
* Test the TPM encryption module, the following example encrypts the words “Hello World!” and writes them to test.txt. Give it a try!
$ echo Hello World! | clevis encrypt tpm2 '{}' > test.txt
# Review information about the cryptographic setup again, check if the new key has been written to the LUKS volume:
$ cryptsetup luksDump /dev/sda3
* Restart your machine, encrypted disk will be decrypted automatically and you will reach the login prompt
$ reboot
== See also ==
* Original article: [https://techrevelations.de/2019/02/04/tpm-encryption-in-fedora-linux/ TPM Encryption in Fedora]
<br>
[[category:software]]
[[category:Application notes]]
[[category:fitlet2]]