Setting up luks encryption with TPM 1.2

Issues related to applications and software problems
Post Reply
eabreu.cu
Posts: 1
Joined: 2021/11/22 20:25:46

Setting up luks encryption with TPM 1.2

Post by eabreu.cu » 2021/11/22 21:18:56

Hello everyone,

I've been trying to setup automatic boot with luks encrypted disks and storing the encryption key in TPM 1.2 chip. I've been mainly using this guide https://github.com/gastamper/dracut-tpm but I have not had luck with dracut. I already took ownership of the TPM with trousers and tpm tools, stored the key on index 1. What I don't know how to do is either setup luks (/etc/crypttab) to search for the keyfile during boot time or configure initramfs to send the key when the OS prompt for the disk encryption password. Has anyone ever configured encrypted disk with TPM 1.2, trousers and tpmtools?


Thanks in advance.

PD: I have also tried with the following methods or a combination of all of them:

https://github.com/archont00/arch-linux-luks-tpm-boot
https://github.com/morbitzer/linux-luks-tpm-boot
https://github.com/gastamper/dracut-tpm

cxor
Posts: 2
Joined: 2021/12/14 22:26:54

Re: Setting up luks encryption with TPM 1.2

Post by cxor » 2021/12/14 22:33:04

@eabreu.cu, any luck? i just installed Centos and I'm in the same boat. I'm just getting started with this.

This post has a more complete description of the process, but also has no answers: https://serverfault.com/questions/10574 ... passphrase

When I installed CentOS, my TPM was enabled but deactivated. I since activated it, but I wonder if it would simply set up LUKS & initramfs properly if it were activated during the install? You never know, i could get lucky LOL. I don't have anything on the system, so I'm going to try that.

I'm using this computer for Pi-Hole, which has SELINUX and that is already holding me up a bit on the install. I think I can place it in permissive and then reenable it, so I'm going to try to stick it out for the next few days, since I'd much rather use CentOS than Ubuntu.

cxor
Posts: 2
Joined: 2021/12/14 22:26:54

Re: Setting up luks encryption with TPM 1.2

Post by cxor » 2021/12/14 23:28:34

Also, it looks like clevis doesn't include =tpm-tools=, only the =tpm2-tools=. Does the new tpm tool package offer an API that is the same for TPM 1.2 and TPM 2.0?

https://centos.pkgs.org/7/centos-x86_64 ... 4.rpm.html

Post Reply