TPM 2.0 can not automatically unlock encrypted partition when booting

Support for security such as Firewalls and securing linux
Post Reply
harrywangca
Posts: 82
Joined: 2016/01/12 23:27:04
Location: Vista California

TPM 2.0 can not automatically unlock encrypted partition when booting

Post by harrywangca » 2020/06/08 22:20:12

Hello Team,

I have a partition encrypted with luks, I followed the red hat website:https://access.redhat.com/documentation ... decryption
to use tpm2 to bind the encryted partition to try to automatically unlock it during booting, processes as followings:(for example my partition is /dev/sda5):

1. to check my encrypted partition, encrypted password is: ranger1234
# cryptsetup luksDump /dev/sda5
LUKS header information for /dev/sda5

Version: 1
Cipher name: aes
Cipher mode: xts-plain64
Hash spec: sha256
Payload offset: 4096
MK bits: 512
MK digest: c3 93 eb 25 f4 2b 5d 4a 66 6a ea 41 b6 ba f4 33 67 da 08 2d
MK salt: 9a b1 73 46 39 03 4a d3 7b 23 e0 53 e3 61 b9 77
79 08 48 b4 45 0b ce 0a 53 b7 ef ba ae 6c 3f f2
MK iterations: 118940
UUID: 76de5cd7-af0e-40a9-9465-a38d2c8107c9

Key Slot 0: ENABLED
Iterations: 1913458
Salt: 4d 02 d9 80 bb cc f2 ad d4 d1 81 c6 0e 2c d9 61
28 b9 a6 e6 3d d5 ab fc f6 f0 1c 95 94 2e 49 d0
Key material offset: 8
AF stripes: 4000
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

2. #clevis luks bind -d /dev/sda5 tpm2 '{"pcr_ids":"7"}' <<< ranger1234
then check partition /dev/sda5 again, and see tpm2 generated master saved into sda5 header metadata in Key Slot 1:
# cryptsetup luksDump /dev/sda5
LUKS header information for /dev/sda5

Version: 1
Cipher name: aes
Cipher mode: xts-plain64
Hash spec: sha256
Payload offset: 4096
MK bits: 512
MK digest: c3 93 eb 25 f4 2b 5d 4a 66 6a ea 41 b6 ba f4 33 67 da 08 2d
MK salt: 9a b1 73 46 39 03 4a d3 7b 23 e0 53 e3 61 b9 77
79 08 48 b4 45 0b ce 0a 53 b7 ef ba ae 6c 3f f2
MK iterations: 118940
UUID: 76de5cd7-af0e-40a9-9465-a38d2c8107c9

Key Slot 0: ENABLED
Iterations: 1913458
Salt: 4d 02 d9 80 bb cc f2 ad d4 d1 81 c6 0e 2c d9 61
28 b9 a6 e6 3d d5 ab fc f6 f0 1c 95 94 2e 49 d0
Key material offset: 8
AF stripes: 4000
Key Slot 1: ENABLED
Iterations: 1949026
Salt: da e6 4d dc 1b cd 76 55 53 0d 32 54 e3 52 ca bb
58 d7 34 97 58 a3 69 97 55 b8 2d 4a 1d 39 5a 2e
Key material offset: 512
AF stripes: 4000
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

3. # dracut -fv
4. reboot PC and I found partition /dev/sda5 didn't get automatically decrypted, I have to password to unlock every time I boot up machine. I really don't understand why?
Does any one could help? please.

Thank you!

Post Reply

Return to “CentOS 8 - Security Support”