#published
tl;dr - do what you want, I hold no liability for usage/misuage of this note.
Worked for me in 2024. If you don't know what you're doing then don't do it (not that I know). I take no responsibility and some of these commands could potentially break your fstab/crypttab/luks configuration.
The already existing guide explains how to use LUKS2, provided by RH. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/encrypting-block-devices-using-luks_security-hardening
- Find the LUKS UUID in the LUKS encrypted device using:
- cryptsetup luksUUID /dev/sdXYZ to dump the LUKS UUID
- (Optional) Find the LUKS header in the LUKS encrypted device using:
- cryptsetup luksDump /dev/sdXYZ to dump the LUKS header
- navigate to UUID
- Unlock the device with cryptsetup, using:
- make sure the device is both unmounted and locked before using luksOpen
- cryptsetup luksOpen /dev/nvmeXYZ luks-XYZ-XYZ-XYZ-XYZ-XYZ
- 1st is the device-name to identify the device (/dev/nvmeXYZ )
- 2nd is the LUKS mapper to identify the LUKS partition (luks-XYZ-XYZ-XYZ-XYZ-XYZ)
- Mount the unlocked device to check if LUKS is working as expected
- Obtain TPM status of the host OS
- sudo tpm2_getcap -l
- If tpm2 produces output then TPM is present
- sudo tpm2_getcap -l
- (Optional) Re-enroll the LUKS binded device by removing its old keys and enrolling a new one
- systemd-cryptenroll /dev/sdXYZ --wipe-slot=tpm2 --tpm2-pcrs=7 --tpm2-device=auto
- Enroll a LUKS encrypted device to TPM2 module
- sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 /dev/sdXYZ
- Modify /etc/crypttab
- attach the device during the boot time, using:
# name-of-device
luks-(LUKS UUID) UUID=(device UUID) none tpm2-device=auto,tpm2-pcrs=7
- 1st is the name of the encrypted partition with the convention of "luks-(LUKS UUID)"
- 2nd is the UUID of the device itself to reference the physical device
- attach the device during the boot time, using:
There already exists a guide explaining the process, provided by RH: https://www.redhat.com/sysadmin/etc-fstab which is complimentary with: https://www.man7.org/linux/man-pages/man8/mount.8.html
- Modify /etc/fstab
- attach the disk(s) using corresponding device UUIDs, mount points and filesystems
- UUID=XYZ-XYZ-XYZ-XYZ-XYZ (mount-point-path) (filesystem) (options)
- attach the disk(s) using corresponding device UUIDs, mount points and filesystems
PS: It's a good idea to test fstab with systemctl daemon-reload
and sudo mount -a
or else you risk running into panic on the next boot. At least when working out the mount options.