Hello Team,
I have a partition encrypted with luks, I followed the red hat website:https://access.redhat.com/documentation ... decryption
to use tpm2 to bind the encryted partition to try to automatically unlock it during booting, processes as followings:(for example my partition is /dev/sda5):
1. to check my encrypted partition, encrypted password is: ranger1234
# cryptsetup luksDump /dev/sda5
LUKS header information for /dev/sda5
Version: 1
Cipher name: aes
Cipher mode: xts-plain64
Hash spec: sha256
Payload offset: 4096
MK bits: 512
MK digest: c3 93 eb 25 f4 2b 5d 4a 66 6a ea 41 b6 ba f4 33 67 da 08 2d
MK salt: 9a b1 73 46 39 03 4a d3 7b 23 e0 53 e3 61 b9 77
79 08 48 b4 45 0b ce 0a 53 b7 ef ba ae 6c 3f f2
MK iterations: 118940
UUID: 76de5cd7-af0e-40a9-9465-a38d2c8107c9
Key Slot 0: ENABLED
Iterations: 1913458
Salt: 4d 02 d9 80 bb cc f2 ad d4 d1 81 c6 0e 2c d9 61
28 b9 a6 e6 3d d5 ab fc f6 f0 1c 95 94 2e 49 d0
Key material offset: 8
AF stripes: 4000
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED
2. #clevis luks bind -d /dev/sda5 tpm2 '{"pcr_ids":"7"}' <<< ranger1234
then check partition /dev/sda5 again, and see tpm2 generated master saved into sda5 header metadata in Key Slot 1:
# cryptsetup luksDump /dev/sda5
LUKS header information for /dev/sda5
Version: 1
Cipher name: aes
Cipher mode: xts-plain64
Hash spec: sha256
Payload offset: 4096
MK bits: 512
MK digest: c3 93 eb 25 f4 2b 5d 4a 66 6a ea 41 b6 ba f4 33 67 da 08 2d
MK salt: 9a b1 73 46 39 03 4a d3 7b 23 e0 53 e3 61 b9 77
79 08 48 b4 45 0b ce 0a 53 b7 ef ba ae 6c 3f f2
MK iterations: 118940
UUID: 76de5cd7-af0e-40a9-9465-a38d2c8107c9
Key Slot 0: ENABLED
Iterations: 1913458
Salt: 4d 02 d9 80 bb cc f2 ad d4 d1 81 c6 0e 2c d9 61
28 b9 a6 e6 3d d5 ab fc f6 f0 1c 95 94 2e 49 d0
Key material offset: 8
AF stripes: 4000
Key Slot 1: ENABLED
Iterations: 1949026
Salt: da e6 4d dc 1b cd 76 55 53 0d 32 54 e3 52 ca bb
58 d7 34 97 58 a3 69 97 55 b8 2d 4a 1d 39 5a 2e
Key material offset: 512
AF stripes: 4000
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED
3. # dracut -fv
4. reboot PC and I found partition /dev/sda5 didn't get automatically decrypted, I have to password to unlock every time I boot up machine. I really don't understand why?
Does any one could help? please.
Thank you!
TPM 2.0 can not automatically unlock encrypted partition when booting
Support for security such as Firewalls and securing linux
-
- Posts: 94
- Joined: 2016/01/12 23:27:04
- Location: Vista California
TPM 2.0 can not automatically unlock encrypted partition when booting
Post by harrywangca » 2020/06/08 22:20:12
Return to “CentOS 8 - Security Support”
Jump to
- CentOS General Purpose
- ↳ CentOS - FAQ & Readme First
- ↳ Announcements
- ↳ CentOS Social
- ↳ User Comments
- ↳ Website Problems
- CentOS 8
- ↳ CentOS 8 - General Support
- ↳ CentOS 8 - Hardware Support
- ↳ CentOS 8 - Networking Support
- ↳ CentOS 8 - Security Support
- CentOS 7
- ↳ CentOS 7 - General Support
- ↳ CentOS 7 - Software Support
- ↳ CentOS 7 - Hardware Support
- ↳ CentOS 7 - Networking Support
- ↳ CentOS 7 - Security Support
- CentOS 6
- ↳ CentOS 6 - General Support
- ↳ CentOS 6 - Software Support
- ↳ CentOS 6 - Hardware Support
- ↳ CentOS 6 - Networking Support
- ↳ CentOS 6 - Security Support
- CentOS Legacy Versions
- ↳ CentOS 4
- ↳ CentOS 4 - General Support
- ↳ CentOS 4 - Software Support
- ↳ CentOS 4 - Hardware Support
- ↳ CentOS 4 - Networking Support
- ↳ CentOS 4 - Server Support
- ↳ CentOS 4 - Security Support
- ↳ CentOS 4 - Webhosting Support
- ↳ CentOS 4 - X86_64,s390(x) and PowerPC Support
- ↳ CentOS 4 - Oracle Installation and Support
- ↳ CentOS 4 - Miscellaneous Questions
- ↳ CentOS 5
- ↳ CentOS 5 - General Support
- ↳ CentOS 5 - Software Support
- ↳ CentOS 5 - Hardware Support
- ↳ CentOS 5 - Networking Support
- ↳ CentOS 5 - Server Support
- ↳ CentOS 5 - Security Support
- ↳ CentOS 5 - Webhosting Support
- ↳ CentOS 5 - X86_64,s390(x) and PowerPC Support
- ↳ CentOS 5 - Oracle Installation and Support
- ↳ CentOS 5 - Miscellaneous Questions