Why should you encrypt your disc in the first place? It’s for your own privacy. It’s to ensure that personal data doesn’t go astray.
Examples when your data may go astray.
- You sell your computer.
- Give a disc to a family member or a friend.
- You put the disc in the recycling bin.
- Someone steals your computer.
From the Github repo: clevis is a pluggable framework for automated decryption. It can be used to provide automated decryption of data or even automated unlocking of LUKS volumes.
The idea is to automatic unlock the disc during boot without typing a password by binding the disk to “your” computer and storing a key in the Trusted Platform Module, TPM.
Installation ๐
Fedora ๐
sudo dnf install -y clevis clevis-dracut clevis-udisks2
Debian ๐
sudo apt-get install -y clevis clevis-initramfs clevis-tpm2 clevis-udisks2
Setup ๐
Preparations before you begin.
- Turn off boot from USB and network in BIOS.
- Optionally turn on secure boot in BIOS.
- Set a strong BIOS password.
Bind pin to disk ๐
Automated disc encryption will fail if
0.UEFI firmware has changed.1.Firmware configuration has changed.5.Bootloader has changed, including GPT.7.Secure boot has changed.
Platform Configuration Registers (PCR) table.
Fedora ๐
sudo clevis luks bind -d /dev/nvme0n1p3 tpm2 '{"pcr_ids":"0,1,5,7"}'
Debian ๐
sudo clevis luks bind -d /dev/nvme0n1p3 tpm2 '{"pcr_bank":"sha256","pcr_ids":"0,1,5,7"}'
List pins bound to disk ๐
sudo clevis luks list -d /dev/nvme0n1p3
Unbind pin from disk ๐
sudo clevis luks unbind -d /dev/nvme0n1p3 -s 1
Remove all acces to the disk ๐
Before you give away your disk or computer. You can erase all access to your data with a simple command.
sudo cryptsetup erase /dev/nvme0n1p3
References ๐
- Always good guides at archlinux wiki.
- Kowalski7cc has a good write-up.
- TCG PC Client Platform TPM Profile (PTP) Specification.