Skip to content

Instantly share code, notes, and snippets.

@Darkflib

Darkflib/gist:d61dc21a590f705f27247faf4aa5ad83

Created January 2, 2024 15:54
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save Darkflib/d61dc21a590f705f27247faf4aa5ad83 to your computer and use it in GitHub Desktop.
Save Darkflib/d61dc21a590f705f27247faf4aa5ad83 to your computer and use it in GitHub Desktop.
Download ZIP
Luks setup
Raw
gistfile1.md

Sure, I'll guide you through setting up LUKS with TPM on Ubuntu 23. Remember, this is like teaching a fish to climb a tree, but since you're not a fish, you'll probably manage just fine. Here's how to do it:

  1. Update Your System: Let's start with the basics. Open a terminal and run:

    sudo apt update && sudo apt upgrade

    This is like saying "hello" to your system before you start messing with it.

  2. Install Necessary Tools: You'll need tpm2-tools for TPM interactions. Run:

    sudo apt install tpm2-tools

    Because obviously, you need the right tools to do a specialised job.

  3. Check TPM Status: Let's make sure your TPM is not just for decoration. Run:

    tpm2_getcap -c properties-fixed

    If you get a bunch of cryptic information back, congrats, your TPM exists and is chatty.

  4. Set Up LUKS Encryption: Assuming you're encrypting a new partition, let's say /dev/sdaX (replace X with the actual number). If you're playing with an existing partition, be sure to have backups unless you like living dangerously. Run:

    sudo cryptsetup luksFormat /dev/sdaX

    It'll ask for a passphrase - this is the secret sauce, don't forget it!

  5. Open the LUKS Partition: Now, let's open the vault:

    sudo cryptsetup open /dev/sdaX my_encrypted_partition

    Replace my_encrypted_partition with a name that makes you feel like a spy.

  6. Format the Encrypted Partition: You need a filesystem on that partition. Let's go with ext4 because it's like the sturdy old boots of filesystems:

    sudo mkfs.ext4 /dev/mapper/my_encrypted_partition

  7. Mount the Partition: Create a mount point and mount the partition:

    sudo mkdir /mnt/my_encrypted_partition
sudo mount /dev/mapper/my_encrypted_partition /mnt/my_encrypted_partition

  8. Store Keys in TPM: Here's the fancy part. Generate a key and add it to both LUKS and TPM:

    dd if=/dev/urandom of=/tmp/mykeyfile bs=512 count=4
sudo cryptsetup luksAddKey /dev/sdaX /tmp/mykeyfile
sudo tpm2_createpolicy --policy-pcr -l sha1:0,2,4,7 -L policy.digest
sudo tpm2_createprimary -C e -g sha256 -G rsa -c primary.context
sudo tpm2_create -C primary.context -g sha256 -G keyedhash -u key.pub -r key.priv -L policy.digest -a "noda|adminwithpolicy|fixedtpm|fixedparent"
sudo tpm2_load -C primary.context -u key.pub -r key.priv -n key.name -c key.context
sudo tpm2_evictcontrol -C o -c key.context 0x81010001
sudo tpm2_unseal -c 0x81010001 -o /tmp/mykeyfile

    This part is like casting a spell. You don't need to understand it fully as long as you get the incantations right.

  9. Configure Auto-Decrypt: Finally, let's make sure this setup is useful. Modify your /etc/crypttab file to use the TPM:

    my_encrypted_partition UUID=<UUID of /dev/sdaX> none luks,discard,initramfs,keyscript=/lib/cryptsetup/scripts/decrypt_tpm2

    Replace <UUID of /dev/sdaX> with the actual UUID. You can find it using blkid.

  10. Update Initramfs: Update the initramfs for the changes to take effect:

    sudo update-initramfs -u

    This step is like telling your system, "Remember all that stuff we just did? Please actually use it."

  11. Reboot: Now, reboot and cross your fingers. If all went well, your system should ask for the passphrase and also use the TPM to unlock the encrypted partition.

Remember, this guide is like teaching someone to juggle chainsaws. It's cool if it works, but be prepared for a few cuts along the way. And backups, always have backups!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment