Luks decryption with clevis and TPM2

ยท 289 words ยท 2 minute read

Why should you encrypt your disc in the first place? It’s for your own privacy. It’s to ensure that personal data doesn’t go astray.

Examples when your data may go astray.

  • You sell your computer.
  • Give a disc to a family member or a friend.
  • You put the disc in the recycling bin.
  • Someone steals your computer.

From the Github repo: clevis is a pluggable framework for automated decryption. It can be used to provide automated decryption of data or even automated unlocking of LUKS volumes.

The idea is to automatic unlock the disc during boot without typing a password by binding the disk to “your” computer and storing a key in the Trusted Platform Module, TPM.

Installation ๐Ÿ”—

Fedora ๐Ÿ”—

sudo dnf install -y clevis clevis-dracut clevis-udisks2

Debian ๐Ÿ”—

sudo apt-get install -y clevis clevis-initramfs clevis-tpm2 clevis-udisks2

Setup ๐Ÿ”—

Preparations before you begin.

  • Turn off boot from USB and network in BIOS.
  • Optionally turn on secure boot in BIOS.
  • Set a strong BIOS password.

Bind pin to disk ๐Ÿ”—

Automated disc encryption will fail if

  • 0. UEFI firmware has changed.
  • 1. Firmware configuration has changed.
  • 5. Bootloader has changed, including GPT.
  • 7. Secure boot has changed.

Platform Configuration Registers (PCR) table.

Fedora ๐Ÿ”—

sudo clevis luks bind -d /dev/nvme0n1p3 tpm2 '{"pcr_ids":"0,1,5,7"}'

Debian ๐Ÿ”—

sudo clevis luks bind -d /dev/nvme0n1p3 tpm2 '{"pcr_bank":"sha256","pcr_ids":"0,1,5,7"}'

List pins bound to disk ๐Ÿ”—

sudo clevis luks list -d /dev/nvme0n1p3

Unbind pin from disk ๐Ÿ”—

sudo clevis luks unbind -d /dev/nvme0n1p3 -s 1

Remove all acces to the disk ๐Ÿ”—

Before you give away your disk or computer. You can erase all access to your data with a simple command.

sudo cryptsetup erase /dev/nvme0n1p3

References ๐Ÿ”—