iTranslated by AI

The content below is an AI-generated translation. This is an experimental feature, and may contain errors. View original article
🐙

Automating LUKS Decryption with TPM 2.0 on Ubuntu 22.04

に公開
Ubuntu
tpm2
tech

Introduction

I researched how to decrypt Ubuntu 22.04 installed on LUKS using TPM at boot time instead of typing a password.

Prerequisites

  • An environment where Ubuntu 22.04 is already installed using LUKS.

Steps

Installing Packages

sudo apt update
sudo apt install clevis-tpm2 clevis-luks clevis-initramfs -y

Identifying the LUKS Encrypted Volume

In the following case, it is /dev/nvme1n1p2.

# lsblk
nvme1n1                                       259:0    0 465.8G  0 disk  
├─nvme1n1p1                                   259:1    0  1000M  0 part  /boot
├─nvme1n1p2                                   259:2    0 463.8G  0 part  
 └─luks-d1bbf244-6e32-42f6-9ecb-6ebe4a960961 253:0    0 463.8G  0 crypt /run/timeshift/backup
                                                                        /var/lib/docker/btrfs
                                                                        /home
                                                                        /var/snap/firefox/common/host-hunspell
                                                                        /
└─nvme1n1p3                                   259:3    0  1000M  0 part

Binding to the TPM2 Device Using clevis luks bind 

# clevis luks bind -d /dev/nvme1n1p2 tpm2 '{"hash":"sha256","key":"rsa"}'

Verification

# clevis luks list -d /dev/sda2
1: tpm2 '{"hash":"sha256","key":"rsa"}'

Updating initramfs

# update-initramfs -u

References

12.8. Configuring manual enrollment of LUKS-encrypted volumes using TPM 2.0 policies

GitHubで編集を提案

Discussion