From 216c34911d0e3ecd94fb9c821a34234714b40377 Mon Sep 17 00:00:00 2001 From: Sten Turpin Date: Fri, 26 Apr 2024 12:05:16 -0500 Subject: [PATCH 1/5] Add TPM2 systemd-cryptenroll to Tips and Tricks This worked for me; I'm not sure if it's complete, or the most secure possible configuration, but it's frustrating to try to piece this together from blogs and discussion pages, so looking to firm it up here; would appreciate testing/confirmation/edits/corrections. --- modules/ROOT/pages/tips-and-tricks.adoc | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/modules/ROOT/pages/tips-and-tricks.adoc b/modules/ROOT/pages/tips-and-tricks.adoc index 0d71866..ed3509e 100644 --- a/modules/ROOT/pages/tips-and-tricks.adoc +++ b/modules/ROOT/pages/tips-and-tricks.adoc @@ -160,3 +160,16 @@ or setup shell `alias`es as needed to make them available to the CLI like so: $ alias evince="flatpak run org.gnome.Evince" # or alias evince="org.gnome.Evince" $ evince + +== Enabling TPM2 for LUKS + +It is possible to use the TPM2 device in your machine to automatically decrypt your LUKS-encrypted device. + +First, enable the needed initramfs and kernel features: + + $ sudo rpm-ostree kargs --append=rd.luks.options=tpm2-device=auto + $ sudo rpm-ostree initramfs --enable --arg=-a --arg=systemd-pcrphase + +Then, enroll the device: + + $ sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 /your/boot/device From 54c1e072a855b09d188ab695b64a0f880ebef3d0 Mon Sep 17 00:00:00 2001 From: Sten Turpin Date: Sat, 27 Apr 2024 14:47:45 -0500 Subject: [PATCH 2/5] requested changes incorporating some feedback and changes, clarifying some of the drawbacks and caveats around this setting --- modules/ROOT/pages/tips-and-tricks.adoc | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/modules/ROOT/pages/tips-and-tricks.adoc b/modules/ROOT/pages/tips-and-tricks.adoc index ed3509e..5a4432a 100644 --- a/modules/ROOT/pages/tips-and-tricks.adoc +++ b/modules/ROOT/pages/tips-and-tricks.adoc @@ -163,13 +163,17 @@ or setup shell `alias`es as needed to make them available to the CLI like so: == Enabling TPM2 for LUKS -It is possible to use the TPM2 device in your machine to automatically decrypt your LUKS-encrypted device. +It is possible to use the TPM2 device in your machine to automatically decrypt your LUKS-encrypted device. It is important to note a few things regarding this setup: first, it is trading convenience for security. Anyone who has access to both the disk and the TPM2 device can unlock your data. Second, it is crucial to keep a LUKS passphrase in addition to the TPM2 device that you can use to unlock the LUKS device; if you update BIOS, or the kernel shim, or make other substantial changes to your device, the TPM will refuse to sign your session and you will fall back to manually entering a LUKS passphrase. This tip assumes you have a single LUKS device created during the Anaconda installer; if you have more than one LUKS device, you will need to correctly identify the device you want to enroll. -First, enable the needed initramfs and kernel features: +To set up TPM2 unlocking, first, find the LUKS device you want to enroll. This is probably in /etc/cryptsetup; you can also use `cryptsetup status /dev/mappper/luks*` to identify the device. + +Next, enable the required initramfs and kernel features. Note that the initramfs command below will overwrite any other initramfs changes you have made: $ sudo rpm-ostree kargs --append=rd.luks.options=tpm2-device=auto $ sudo rpm-ostree initramfs --enable --arg=-a --arg=systemd-pcrphase Then, enroll the device: - $ sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 /your/boot/device + $ sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 /dev/mapper/luks-your-device + +Reboot; you should not be prompted to enter your LUKS passphrase on boot. From 43ff4d299a559dcd34d516da622d6a75b46ed1d1 Mon Sep 17 00:00:00 2001 From: Sten Turpin Date: Sun, 19 May 2024 10:20:50 -0500 Subject: [PATCH 3/5] Update tips-and-tricks.adoc make a note that the re-enroll will need to be re-run if the boot process changes enough to upset the pcr; clarify which device needs to be passed to the cryptenroll command --- modules/ROOT/pages/tips-and-tricks.adoc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/ROOT/pages/tips-and-tricks.adoc b/modules/ROOT/pages/tips-and-tricks.adoc index 5a4432a..d05cf54 100644 --- a/modules/ROOT/pages/tips-and-tricks.adoc +++ b/modules/ROOT/pages/tips-and-tricks.adoc @@ -163,7 +163,7 @@ or setup shell `alias`es as needed to make them available to the CLI like so: == Enabling TPM2 for LUKS -It is possible to use the TPM2 device in your machine to automatically decrypt your LUKS-encrypted device. It is important to note a few things regarding this setup: first, it is trading convenience for security. Anyone who has access to both the disk and the TPM2 device can unlock your data. Second, it is crucial to keep a LUKS passphrase in addition to the TPM2 device that you can use to unlock the LUKS device; if you update BIOS, or the kernel shim, or make other substantial changes to your device, the TPM will refuse to sign your session and you will fall back to manually entering a LUKS passphrase. This tip assumes you have a single LUKS device created during the Anaconda installer; if you have more than one LUKS device, you will need to correctly identify the device you want to enroll. +It is possible to use the TPM2 device in your machine to automatically decrypt your LUKS-encrypted device. It is important to note a few things regarding this setup: first, it is trading convenience for security. Anyone who has access to both the disk and the TPM2 device can unlock your data. Second, it is crucial to keep a LUKS passphrase in addition to the TPM2 device that you can use to unlock the LUKS device; if you update BIOS, or the kernel shim, or make other substantial changes to your device, the TPM will refuse to sign your session and you will fall back to manually entering a LUKS passphrase. In this case, you can re-enable TPM2 for unlocking by re-running the enroll command below. This tip assumes you have a single LUKS device created during the Anaconda installer; if you have more than one LUKS device, you will need to correctly identify the device you want to enroll. To set up TPM2 unlocking, first, find the LUKS device you want to enroll. This is probably in /etc/cryptsetup; you can also use `cryptsetup status /dev/mappper/luks*` to identify the device. @@ -172,8 +172,8 @@ Next, enable the required initramfs and kernel features. Note that the initramfs $ sudo rpm-ostree kargs --append=rd.luks.options=tpm2-device=auto $ sudo rpm-ostree initramfs --enable --arg=-a --arg=systemd-pcrphase -Then, enroll the device: +Then, using the device you identified with 'crpysetup status' previously, enroll the device: - $ sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 /dev/mapper/luks-your-device + $ sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 /dev/boot-device Reboot; you should not be prompted to enter your LUKS passphrase on boot. From 32b875c7eef8f0eb56e2c7171b3fa84dc53d4483 Mon Sep 17 00:00:00 2001 From: Sten Turpin Date: Sun, 18 Aug 2024 11:21:22 -0500 Subject: [PATCH 4/5] Update tips-and-tricks.adoc trading security for convenience, not the other way around --- modules/ROOT/pages/tips-and-tricks.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/ROOT/pages/tips-and-tricks.adoc b/modules/ROOT/pages/tips-and-tricks.adoc index d05cf54..18c0b41 100644 --- a/modules/ROOT/pages/tips-and-tricks.adoc +++ b/modules/ROOT/pages/tips-and-tricks.adoc @@ -163,7 +163,7 @@ or setup shell `alias`es as needed to make them available to the CLI like so: == Enabling TPM2 for LUKS -It is possible to use the TPM2 device in your machine to automatically decrypt your LUKS-encrypted device. It is important to note a few things regarding this setup: first, it is trading convenience for security. Anyone who has access to both the disk and the TPM2 device can unlock your data. Second, it is crucial to keep a LUKS passphrase in addition to the TPM2 device that you can use to unlock the LUKS device; if you update BIOS, or the kernel shim, or make other substantial changes to your device, the TPM will refuse to sign your session and you will fall back to manually entering a LUKS passphrase. In this case, you can re-enable TPM2 for unlocking by re-running the enroll command below. This tip assumes you have a single LUKS device created during the Anaconda installer; if you have more than one LUKS device, you will need to correctly identify the device you want to enroll. +It is possible to use the TPM2 device in your machine to automatically decrypt your LUKS-encrypted device. It is important to note a few things regarding this setup: first, it is trading security for convenience. Anyone who has access to both the disk and the TPM2 device can unlock your data. Second, it is crucial to keep a LUKS passphrase in addition to the TPM2 device that you can use to unlock the LUKS device; if you update BIOS, or the kernel shim, or make other substantial changes to your device, the TPM will refuse to sign your session and you will fall back to manually entering a LUKS passphrase. In this case, you can re-enable TPM2 for unlocking by re-running the enroll command below. This tip assumes you have a single LUKS device created during the Anaconda installer; if you have more than one LUKS device, you will need to correctly identify the device you want to enroll. To set up TPM2 unlocking, first, find the LUKS device you want to enroll. This is probably in /etc/cryptsetup; you can also use `cryptsetup status /dev/mappper/luks*` to identify the device. From 5ee8159bcfadc47993784e5f19c74f090305e362 Mon Sep 17 00:00:00 2001 From: Sten Turpin Date: Thu, 22 Aug 2024 16:49:54 -0500 Subject: [PATCH 5/5] Update modules/ROOT/pages/tips-and-tricks.adoc Co-authored-by: Sam --- modules/ROOT/pages/tips-and-tricks.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/ROOT/pages/tips-and-tricks.adoc b/modules/ROOT/pages/tips-and-tricks.adoc index 18c0b41..f8705a9 100644 --- a/modules/ROOT/pages/tips-and-tricks.adoc +++ b/modules/ROOT/pages/tips-and-tricks.adoc @@ -165,7 +165,7 @@ or setup shell `alias`es as needed to make them available to the CLI like so: It is possible to use the TPM2 device in your machine to automatically decrypt your LUKS-encrypted device. It is important to note a few things regarding this setup: first, it is trading security for convenience. Anyone who has access to both the disk and the TPM2 device can unlock your data. Second, it is crucial to keep a LUKS passphrase in addition to the TPM2 device that you can use to unlock the LUKS device; if you update BIOS, or the kernel shim, or make other substantial changes to your device, the TPM will refuse to sign your session and you will fall back to manually entering a LUKS passphrase. In this case, you can re-enable TPM2 for unlocking by re-running the enroll command below. This tip assumes you have a single LUKS device created during the Anaconda installer; if you have more than one LUKS device, you will need to correctly identify the device you want to enroll. -To set up TPM2 unlocking, first, find the LUKS device you want to enroll. This is probably in /etc/cryptsetup; you can also use `cryptsetup status /dev/mappper/luks*` to identify the device. +To set up TPM2 unlocking, first, find the LUKS device you want to enroll. This is probably in `/etc/crypttab`. You can also use `sudo cryptsetup status /dev/mapper/luks*` to identify the device. Next, enable the required initramfs and kernel features. Note that the initramfs command below will overwrite any other initramfs changes you have made: