Skip to content

Instantly share code, notes, and snippets.

@Matthew0x

Matthew0x/linuxCybersecurityTPM.md

Created April 4, 2024 14:04
Show Gist options
  • Save Matthew0x/9d633e6e8be6efca7092abf193b4d537 to your computer and use it in GitHub Desktop.
Save Matthew0x/9d633e6e8be6efca7092abf193b4d537 to your computer and use it in GitHub Desktop.
Download ZIP
TPM with LUKS2 (published)
Raw
linuxCybersecurityTPM.md

#published

License

GPLv3

tl;dr - do what you want, I hold no liability for usage/misuage of this note.

Remarks

Worked for me in 2024. If you don't know what you're doing then don't do it (not that I know). I take no responsibility and some of these commands could potentially break your fstab/crypttab/luks configuration.

LUKS2

The already existing guide explains how to use LUKS2, provided by RH. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/encrypting-block-devices-using-luks_security-hardening

cryptsetup

Finding mappers/testing LUKS

  1. Find the LUKS UUID in the LUKS encrypted device using:
    • cryptsetup luksUUID /dev/sdXYZ to dump the LUKS UUID
  2. (Optional) Find the LUKS header in the LUKS encrypted device using:
    • cryptsetup luksDump /dev/sdXYZ to dump the LUKS header
    • navigate to UUID
  3. Unlock the device with cryptsetup, using:
    • make sure the device is both unmounted and locked before using luksOpen
    • cryptsetup luksOpen /dev/nvmeXYZ luks-XYZ-XYZ-XYZ-XYZ-XYZ
      • 1st is the device-name to identify the device (/dev/nvmeXYZ )
      • 2nd is the LUKS mapper to identify the LUKS partition (luks-XYZ-XYZ-XYZ-XYZ-XYZ)
    • Mount the unlocked device to check if LUKS is working as expected

Testing TPM capability

  1. Obtain TPM status of the host OS
    • sudo tpm2_getcap -l
      • If tpm2 produces output then TPM is present

systemd-cryptenroll

Enrollment of TPM keys

  1. (Optional) Re-enroll the LUKS binded device by removing its old keys and enrolling a new one
    • systemd-cryptenroll /dev/sdXYZ --wipe-slot=tpm2 --tpm2-pcrs=7 --tpm2-device=auto
  2. Enroll a LUKS encrypted device to TPM2 module
    • sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 /dev/sdXYZ

crypttab

Modifying /etc/crypttab

  1. Modify /etc/crypttab
    • attach the device during the boot time, using:
      • # name-of-device luks-(LUKS UUID) UUID=(device UUID) none tpm2-device=auto,tpm2-pcrs=7
      • 1st is the name of the encrypted partition with the convention of "luks-(LUKS UUID)"
      • 2nd is the UUID of the device itself to reference the physical device

fstab

Modifying /etc/fstab

There already exists a guide explaining the process, provided by RH: https://www.redhat.com/sysadmin/etc-fstab which is complimentary with: https://www.man7.org/linux/man-pages/man8/mount.8.html

  1. Modify /etc/fstab
    • attach the disk(s) using corresponding device UUIDs, mount points and filesystems
      • UUID=XYZ-XYZ-XYZ-XYZ-XYZ (mount-point-path) (filesystem) (options)

PS: It's a good idea to test fstab with systemctl daemon-reload and sudo mount -a or else you risk running into panic on the next boot. At least when working out the mount options.

References

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment