First step: install tpm2-tss, tpm2-tools and all its depedencies.
# Install dependencies
sudo apt-get update && sudo apt-get -y install autoconf autoconf-archive automake libtool pkg-config gcc libssl-dev libcurl4-gnutls-dev doxygen
# Install tpm2-tss
git clone https://github.com/tpm2-software/tpm2-tss.git
cd tpm2-tss
git checkout e05d28ec # I used this particular commit
./bootstrap
./configure --prefix=/usr
make -j5
sudo make install
# Install tpm2-tools
git clone https://github.com/tpm2-software/tpm2-tools.git
cd tpm2-tools
git checkout 446b4f37 # I used this particular commit
./bootstrap
./configure --prefix=/usr
make -j5
sudo make install
Second step: create a secret key and add it to the cryptsetup.
# Create secret and add to cryptsetup
sudo dd if=/dev/urandom of=/secret.bin bs=32 count=1
sudo chmod 700 /secret.bin
sudo cryptsetup luksAddKey /dev/sda<x> /secret.bin
*replace the <x>
with your own value.
Third step: load the secret key into the TPM and make it persistent.
# Enable and clear your tpm in your BIOS first to start with a clean TPM
# Create primary TPM object
sudo tpm2_createprimary -c primary.ctx
# Create PCR Policy against PCR 0-7
sudo tpm2_createpolicy --policy-pcr -l sha1:0,1,2,3,4,5,6,7 -L policy.digest
# Create tpm object
sudo tpm2_create -C primary.ctx -u obj.pub -r obj.priv -L policy.digest -a "noda|adminwithpolicy|fixedparent|fixedtpm" -i /secret.bin
# Flush transient handles (making some room in the memory for the TPM)
sudo tpm2_flushcontext -t
# Load object into the TPM
sudo tpm2_load -C primary.ctx -u obj.pub -r obj.priv -c load.ctx
# Make object persistent
sudo tpm2_evictcontrol -c load.ctx
# Flush transient handles
sudo tpm2_flushcontext -t
# List persistent handles
sudo tpm2_getcap handles-persistent
# Bonus commands:
# To unseal an object use:
sudo tpm2_unseal -c 0x81000000 -p pcr:sha1:0,1,2,3,4,5,6,7
# To remove an object use:
sudo tpm2_evictcontrol -c 0x81000000
# The handle 0x81000000 was given by the `tpm2_getcap handles-persistent` command
Fourth step: add unseal script: /sbin/getsecret.sh
#!/bin/sh
echo "Unlocking via TPM" >&2
export TPM2TOOLS_TCTI="device:/dev/tpm0"
/sbin/tpm2_unseal -c 0x81000000 -p pcr:sha1:0,1,2,3,4,5,6,7
if [ $? -eq 0 ]; then
exit
fi
/lib/cryptsetup/askpass "Unlocking the disk fallback $CRYPTTAB_SOURCE ($CRYPTTAB_NAME)\nEnter passphrase: "
Fifth step: make a backup of the current boot
sudo cp /boot/initrd.img-$(uname -r) /boot/initrd.img-$(uname -r).orig
Sixth step: add tpm hook to initramfs-tools: /etc/initramfs-tools/hooks/tpm2
#!/bin/sh
PREREQ="lvm"
prereqs()
{
echo "$PREREQ"
}
case $1 in
prereqs)
prereqs
exit 0
;;
esac
. /usr/share/initramfs-tools/hook-functions
# Begin real processing below this line
#copy the files to read the NVRAM and to read the secret
copy_exec /usr/bin/tpm2_unseal /sbin/
copy_exec /usr/lib/libtss2-tcti-device.so /sbin/
copy_exec /sbin/getsecret.sh /sbin
Seventh step: make script and hook executable.
sudo chmod +x /sbin/getsecret.sh
sudo chmod +x /etc/initramfs-tools/hooks/tpm2
Eighth step: modify the /etc/crypttab by adding keyscript.
sda<x>_crypt UUID=<UUID> none luks,keyscript=/sbin/getsecret.sh
*replace the <x>
and <UUID>
with your own values.
Nineth step: update initramfs:
sudo update-initramfs -u
Thats all.