I'm attempting to store the LUKS password for LVM encryption/FDE in a TPM2 as part of unattended boot for a server, i.e. allowing a server with a LUKS encrypted root filesystem to boot without a user having to manually enter the password.
Since this seems to always come up, the threats I'm trying to defend against are an attacker removing a hard drive from the server and mounting its filesystem elsewhere, as well as an attacker altering kernel parameters passed from Grub to use e.g. init=/bin/sh. Clearly there are other threats this approach does not defend against which I will simply declare out-of-scope. Also: I'm not particularly interested in e.g. PCR hardening so much as getting anything to work at all.
I'm working with the following TPM2 device:
I've attempted a few different methods, all unsuccessfully:
- systemd-cryptenroll
- tpm2-initramfs-tool
- clevis
Of those, systemd-cryptenroll seems it's probably the best approach and one I seem to have partially working, at least. With the `tpm2-tools` package installed I am seemingly able to enroll my LUKS password into my TPM:
So that much seems to work, but what I'm having trouble with is adding TPM support to initramfs and configuring my crypttab to use the TPM.
I've seen a lot of recommendations of dracut for this. I've tried the following:
I also modified my /etc/crypttab to change the last entry from "luks,discard" to "luks,tpm2-device=auto". I've also tried just "luks,tpm2-device=auto" as well as "luks,discard,tpm2-device=auto" and just "tpm2-device=auto".
With dracut, after grub launches Linux, where it would ordinarily prompt for a password it just sits there with a cursor before dropping to an emergency shell.
I've also tried to add TPM support via initramfs-tools instead, modifying /etc/initramfs-tools/modules to add tpm_tis, and then running update-initramfs -u, but it complains:
I get the same warning when the system boots, followed by a password prompt. This seems relevant: https://groups.google.com/g/linux.debia ... MQ5A?pli=1
Any suggestions?
Since this seems to always come up, the threats I'm trying to defend against are an attacker removing a hard drive from the server and mounting its filesystem elsewhere, as well as an attacker altering kernel parameters passed from Grub to use e.g. init=/bin/sh. Clearly there are other threats this approach does not defend against which I will simply declare out-of-scope. Also: I'm not particularly interested in e.g. PCR hardening so much as getting anything to work at all.
I'm working with the following TPM2 device:
Code:
# systemd-cryptenroll --tpm2-device=listPATH DEVICE DRIVER/dev/tpmrm0 MSFT0101:00 tpm_tis- systemd-cryptenroll
- tpm2-initramfs-tool
- clevis
Of those, systemd-cryptenroll seems it's probably the best approach and one I seem to have partially working, at least. With the `tpm2-tools` package installed I am seemingly able to enroll my LUKS password into my TPM:
Code:
# systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 /dev/sda3🔐 Please enter current passphrase for disk /dev/sda3: [...]New TPM2 token enrolled as key slot 1.I've seen a lot of recommendations of dracut for this. I've tried the following:
Code:
apt-get install dracutdracut --add tpm2-tss -fWith dracut, after grub launches Linux, where it would ordinarily prompt for a password it just sits there with a cursor before dropping to an emergency shell.
I've also tried to add TPM support via initramfs-tools instead, modifying /etc/initramfs-tools/modules to add tpm_tis, and then running update-initramfs -u, but it complains:
Code:
cryptsetup: WARNING: sda3_crypt: ignoring unknown option 'tpm2-device'Any suggestions?
Statistics: Posted by bascule — 2024-03-12 18:27 — Replies 2 — Views 59