Linux: Full Disk Encryption

From fit-PC wiki
Revision as of 13:25, 30 June 2019 by Denis (Talk | contribs) (Automated Decryption)

Jump to: navigation, search


The idea is encrypt partition with root filesystem using LUKS and store the keys in the TPM.
During boot user does not have to enter a decryption password, partition will be automatically decrypted using the keys from TPM.
It's a open-source alternative to Windows BitLocker.

  • LUKS (Linux Unified Key Setup) - is a full volume encryption feature, the standard for Linux hard disk encryption
  • TPM (Trusted Platform Module) - is dedicated micro-controller designed to secure hardware through integrated cryptographic keys

List of tested devices

The guide was tested on a system with the specs listed below, but should be easily adaptable.

  • Device: fitlet2
  • OS: Debian GNU/Linux testing (buster)
  • ISO: debian-buster-DI-rc2-amd64-netinst.iso
  • Kernel: 4.19.0-5-amd64
  • BIOS: 09/17/2018 American Megatrends Inc. FLT2.
  • TPM: Firmware based TPM 2.0 implementation


  • Follow the standard installation procedure - choose timezone, hostname, username, password etc.
  • In the "Partition disks" dialog select the following partitioning method "Guided - use entire disk and set up encrypted LVM"
  • NOTE: advanced users can implement other partitioning schemes manually, for example:
    • #1, size 200.0 MB, use as "EFI System Partition"
    • #2, size 300.0 MB, use as "EXT4 journaling file system", mount point /boot
    • #3, size 3.0 GB, use as "physical volume for encryption"
    • Go to the "Configuring encrypted volumes" and select partition #3 as device to be encrypted
    • You will be asked to enter encryption passphrase for partition #3
    • In the "Partition disks" find new appeared encrypted volume #1, use it as "EXT4 journaling file system", mount point /
  • Continue with package manager, software selection etc.
  • Disconnect the installation media and reboot
  • You will be asked for passphrase of encrypted disk, enter it manually, then boot process will continue
  • Login using previously selected username and password.
  • NOTE: The PATH variable the Debian installation should be fixed:
    • Open /etc/profile and set PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

Automated Decryption

  • Clevis is a framework for automated decryption of data or automated unlocking of LUKS volumes.
$ su
$ apt install clevis-tpm2 clevis-luks clevis-dracut
  • Test the TPM encryption module, the following example encrypts the words “Hello World!” and writes them to test.txt. Give it a try!
$ echo Hello World! | clevis encrypt tpm2 '{}' > test.txt
$ cat test.txt
$ cat test.txt | clevis decrypt tpm2
Hello World!
  • Now it is time to automatically decrypt the existing encrypted root file system.
# Try this command to show some information about the cryptographic setup of encrypted partition:
$ cryptsetup luksDump /dev/sda3