Linux: Full Disk Encryption

4,757 bytes added, 10:12, 20 May 2020
/* List of tested devices */
== Overview ==
This guide explains how The idea is to make your personal data secure by encrypting your Linux encrypt a partition with root filesystem using strong cryptographyLUKS and store the keys in the TPM.<br>During boot user does not have to enter a decryption password, partition will be automatically decrypted using the keys from TPM.<br>It's a open-source alternative to Windows BitLocker. * LUKS (Linux Unified Key Setup (LUKS) - is a full volume encryption feature, the standard for Linux hard disk encryption* TPM (Trusted Platform Module (TPM) - is dedicated micro-controller designed to secure hardware through integrated cryptographic keysThe idea is encrypt partition with root filesystem and store the keys in TPM chip. Then, on boot, encrypted partition will be automatically decrypted.
== List of tested devices ==
The guide was tested on a system with the specs listed below, but should be easily adaptable.
* Device: fitlet2* OS: Debian GNU/Linux testing (buster)* ISO: debian-buster-DI-rc2-amd64-netinst.iso* Kernel: 4.19.0-5-amd64* BIOS: 09/17/2018 American Megatrends Inc. FLT2.* TPM: Firmware based TPM 2.0 implementation(fTPM) Clevis: 11-2  Device: fitlet2 OS: Debian GNU/Linux bullseye ISO: debian-bullseye-DI-rc2-amd64-netinst.iso Kernel: 5.6.0-1-amd64 BIOS: 09/17/2018 American Megatrends Inc. FLT2. TPM: Firmware based TPM 2.0 implementation (fTPM) Clevis: 13-1 == Installation ==* Follow the standard installation procedure - choose timezone, hostname, username, password etc.* In the "Partition disks" dialog you can choose automatic or manual partitioning scheme** Automatic - select "Guided - use entire disk and set up encrypted LVM"*** Partitions scheme will be defined automatically *** You will be asked to enter passphrase for encryption** Manual (advanced) , for example:*** #1, size 200.0 MB, use as "EFI System Partition"*** #2, size 300.0 MB, use as "EXT4 journaling file system", mount point /boot*** #3, size 3.0 GB, use as "physical volume for encryption"*** Go to the "Configuring encrypted volumes" and select partition #3 as device to be encrypted*** You will be asked to enter passphrase for encryption*** In the "Partition disks" find new appeared encrypted volume #1, use it as "EXT4 journaling file system", mount point /* Continue with package manager, software selection etc.* Disconnect the installation media and reboot* You will be asked for passphrase of encrypted disk, enter it manually, then boot process will continue* Login using previously selected username and password. * NOTE: The PATH definition in the /etc/profile should be fixed: # /etc/profile: system-wide .profile file for the Bourne shell (sh(1)) # and Bourne compatible shells (bash(1), ksh(1), ash(1), ...). PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" export PATH ... == Automated Decryption ==* Clevis is a framework for automated decryption of data or automated unlocking of LUKS volumes. $ su Password: $ apt install clevis-tpm2 clevis-luks clevis-dracut * NOTE: current version of clevis-dracut (11-2) requires patch to work correctly in Debian:<pre>--- /usr/lib/dracut/modules.d/60clevis/ 2019-03-01 12:37:24.000000000 +0200+++ /usr/lib/dracut/modules.d/60clevis/ 2019-07-01 13:47:48.341990143 +0300@@ -36,9 +36,7 @@ inst_hook initqueue/settled 60 "$moddir/" inst_multiple /etc/services \- clevis-decrypt-http \- clevis-decrypt-tang \- clevis-decrypt-sss \+ cryptsetup \ /usr/lib/x86_64-linux-gnu/clevis-luks-askpass \ clevis-decrypt \ luksmeta \@@ -46,11 +44,16 @@ mktemp \ curl \ jose \- socat+ socat \+ /usr/lib/x86_64-linux-gnu/ \+ /usr/lib/x86_64-linux-gnu/ \+ /usr/lib/x86_64-linux-gnu/ \+ /usr/lib/x86_64-linux-gnu/ for cmd in clevis-decrypt-tpm2 \ tpm2_createprimary \ tpm2_unseal \+ tpm2_pcrlist \ tpm2_load; do if ! find_binary "$cmd" &>/dev/null; then@@ -62,6 +65,7 @@ inst_multiple clevis-decrypt-tpm2 \ tpm2_createprimary \ tpm2_unseal \+ tpm2_pcrlist \ tpm2_load fi</pre>* Download and apply the patch: $ wget $ patch -p1 /usr/lib/dracut/modules.d/60clevis/* Regenerate the iniramfs image with clevis modules to decrypt the root filesystem during early boot. You need to do this once: $ dracut -f /boot/initrd.img-$(uname -r) * Test the TPM encryption module, the following example encrypts the words “Hello World!” and writes them to test.txt. Give it a try! $ echo Hello World! | clevis encrypt tpm2 '{}' > test.txt $ cat test.txt eyJhbGciOiJkaXIiLCJjbGV2aXMiOnsicGluIjoidHBtMiIsInRwbTIiOnsiaGFzaCI6InNoYTI ... $ cat test.txt | clevis decrypt tpm2 Hello World!* Bind master key generated by TPM to the LUKS volume. For this there is a specific set of Platform Configuration Registers (PCR) called PCR7. # Review information about the cryptographic setup of encrypted partition: $ cryptsetup luksDump /dev/sda3 $ clevis luks bind -d /dev/sda3 tpm2 '{"pcr_ids":"7"}' Enter existing LUKS password: ****** # Review information about the cryptographic setup again, check if the new key has been written to the LUKS volume: $ cryptsetup luksDump /dev/sda3 * Restart your machine, encrypted disk will be decrypted automatically and you will reach the login prompt $ reboot == See also ==* Original article: [ TPM Encryption in Fedora]<br> [[category:software]][[category:Application notes]][[category:fitlet2]]