Skip to content

Instantly share code, notes, and snippets.

@rmrfslashbin

rmrfslashbin/README.md

Last active April 4, 2021 16:44
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save rmrfslashbin/6968665d44a3301830ba459e3426e27b to your computer and use it in GitHub Desktop.
Save rmrfslashbin/6968665d44a3301830ba459e3426e27b to your computer and use it in GitHub Desktop.
Download ZIP
Quick guide to setting up Clevis TPM/Luks boot-time unlock
Raw
README.md

A brief guide to set up TPM based luks partition unlocing at boot-time.

BIOS

The TPM must be enabled in the BIOS

Software install

sudo apt install \
  clevis \
  clevis-luks \
  clevis-systemd \
  clevis-tpm2 \
  tpm2-tools \
  clevis-initramfs

Validate TPM function

sudo tpm2_pcrread

Output should show data in SHA1 and SHA256 slots

Bug fixup

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=968518#10

Load Clevis scritps into the initrd

sudo update-initramfs -u -k 'all'

Config Luks

  • Replace /dev/nvme0n1p3 with the proper device.
  • replace "pcr_bank":"sha256","pcr_ids":"0,1" as needed (it's likely fine...) sudo clevis luks bind -d /dev/nvme0n1p3 tpm2 '{"pcr_bank":"sha256","pcr_ids":"0,1"}'

Reboot

Reboot system; at the LUKS passphrase prompt, don't enter anything. Just wait 5 to 10 seconds. The Clevis software should use the TPM to unlock the partition. If it fails, pres the "esc" key to see what's going on. You can always use the passphrase to unlock the disk.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment