Sure, I'll guide you through setting up LUKS with TPM on Ubuntu 23. Remember, this is like teaching a fish to climb a tree, but since you're not a fish, you'll probably manage just fine. Here's how to do it:
-
Update Your System: Let's start with the basics. Open a terminal and run:
sudo apt update && sudo apt upgrade
This is like saying "hello" to your system before you start messing with it.
-
Install Necessary Tools: You'll need
tpm2-tools
for TPM interactions. Run:sudo apt install tpm2-tools
Because obviously, you need the right tools to do a specialised job.
-
Check TPM Status: Let's make sure your TPM is not just for decoration. Run:
tpm2_getcap -c properties-fixed
If you get a bunch of cryptic information back, congrats, your TPM exists and is chatty.
-
Set Up LUKS Encryption: Assuming you're encrypting a new partition, let's say
/dev/sdaX
(replaceX
with the actual number). If you're playing with an existing partition, be sure to have backups unless you like living dangerously. Run:sudo cryptsetup luksFormat /dev/sdaX
It'll ask for a passphrase - this is the secret sauce, don't forget it!
-
Open the LUKS Partition: Now, let's open the vault:
sudo cryptsetup open /dev/sdaX my_encrypted_partition
Replace
my_encrypted_partition
with a name that makes you feel like a spy. -
Format the Encrypted Partition: You need a filesystem on that partition. Let's go with ext4 because it's like the sturdy old boots of filesystems:
sudo mkfs.ext4 /dev/mapper/my_encrypted_partition
-
Mount the Partition: Create a mount point and mount the partition:
sudo mkdir /mnt/my_encrypted_partition sudo mount /dev/mapper/my_encrypted_partition /mnt/my_encrypted_partition
-
Store Keys in TPM: Here's the fancy part. Generate a key and add it to both LUKS and TPM:
dd if=/dev/urandom of=/tmp/mykeyfile bs=512 count=4 sudo cryptsetup luksAddKey /dev/sdaX /tmp/mykeyfile sudo tpm2_createpolicy --policy-pcr -l sha1:0,2,4,7 -L policy.digest sudo tpm2_createprimary -C e -g sha256 -G rsa -c primary.context sudo tpm2_create -C primary.context -g sha256 -G keyedhash -u key.pub -r key.priv -L policy.digest -a "noda|adminwithpolicy|fixedtpm|fixedparent" sudo tpm2_load -C primary.context -u key.pub -r key.priv -n key.name -c key.context sudo tpm2_evictcontrol -C o -c key.context 0x81010001 sudo tpm2_unseal -c 0x81010001 -o /tmp/mykeyfile
This part is like casting a spell. You don't need to understand it fully as long as you get the incantations right.
-
Configure Auto-Decrypt: Finally, let's make sure this setup is useful. Modify your
/etc/crypttab
file to use the TPM:my_encrypted_partition UUID=<UUID of /dev/sdaX> none luks,discard,initramfs,keyscript=/lib/cryptsetup/scripts/decrypt_tpm2
Replace
<UUID of /dev/sdaX>
with the actual UUID. You can find it usingblkid
. -
Update Initramfs: Update the initramfs for the changes to take effect:
sudo update-initramfs -u
This step is like telling your system, "Remember all that stuff we just did? Please actually use it."
-
Reboot: Now, reboot and cross your fingers. If all went well, your system should ask for the passphrase and also use the TPM to unlock the encrypted partition.
Remember, this guide is like teaching someone to juggle chainsaws. It's cool if it works, but be prepared for a few cuts along the way. And backups, always have backups!