Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Disk encryption with Clevis example
GNU nano 4.3 disk-encryption.sh
#!/bin/bash
set -euxo pipefail
rpm -qa clevis* cryptsetup* luks* tpm2* e*fspr* | sort
# Creation
# dd if=/dev/zero of=/dev/sda1 bs=1M status=progress
openssl rand -hex 8 > key
cryptsetup -q luksFormat /dev/sda1 key
clevis luks bind -f -k key -d /dev/sda1 tpm2 '{"pcr_bank":"sha256", "pcr_ids":"0,1"}'
cryptsetup luksRemoveKey /dev/sda1 key
cryptsetup luksOpen /dev/sda1 c1 --key-file key || echo "Key Removed Succesfully"
clevis luks unlock -d /dev/sda1 -n c1
# dd if=/dev/zero of=/dev/mapper/c1 bs=1M status=progress
mkfs.ext4 /dev/mapper/c1
sleep 1
# Mount
mkdir -p /tmp/disk-encryption-mount
mount /dev/mapper/c1 /tmp/disk-encryption-mount
# Sanitization
umount /tmp/disk-encryption-mount
cryptsetup luksClose c1
clevis luks unbind -d /dev/sda1 -s 1 -f
tpm2_clear
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment