This documents how to add a TPM2-backed key to an existing LUKS root partition, first done with EndeavourOS in June 2023. In particular, it covers the dracut (instead of mkinitcpio) and systemd-cryptenroll (instead of clevis). Previously, we used clevis but this was slow to act while booting.
- Have a LUKS partition using LUKS2. If you're using LUKS1, this can be upgraded with
sudo cryptsetup convert --type luks2 /dev/nvme
. If you've previously used clevis, this may leave metadata which breaks the upgrade. This can be removed withsudo luksmeta nuke -d /dev/nvme
. - Add the tpm2-tss module to dracut by creating
/etc/drcaut.conf.d/tpm.conf
with the following content:add_dracutmodules+=" tpm2-tss "
- Modify the corresponding line in
/etc/crypttab
by replacing the 3rd column with-
and the 4th column withtpm2-device=auto
. This should be done before dracut regeneration, as it will affect the PCR registers. - Regenerate the initramfs with
sudo dracut -fv --regenerate-all
- Reboot the system to obtain the correct PCR measurements. This should still require entering a decryption key.
- Add the TPM key with
(existing LUKS slots can be checked withsudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7+9 /dev/nvme
sudo cryptsetup luksDump /dev/nvme
. - Reboot to test.
References:
- https://www.reddit.com/r/Fedora/comments/szlvwd/psa_if_you_have_a_luks_encrypted_system_and_a/
- https://0pointer.net/blog/unlocking-luks2-volumes-with-tpm2-fido2-pkcs11-security-hardware-on-systemd-248.html
- https://wiki.archlinux.org/title/Trusted_Platform_Module#systemd-cryptenroll
- https://wiki.archlinux.org/title/Dm-crypt/System_configuration#Trusted_Platform_Module_and_FIDO2_keys