Full disk encryption + TPM2

Help
1

Hi,

I am trying to setup a full encrypted disk, which will automatically unlock using TPM2.
At the moment I have been able to achieve the OS installation, but now I am stuck unknowing how to setup the automatic unlock.
I have read on internet that some programs (as dracut) can be used, but also, according to a nixos issue, it should be useless: systemd-cryptenroll should be enough… so how am I supposed to proceed?

My current configuration is:
/vda1: the efi/boot partition
/vda2: the encrypted partition, with LVM swap and root partitions.

I am using the nixos unstable version, and I am testing the installation in a KVM VM.

Thank you for the help,
regards.

2

i did this by setting boot.initrd.systemd.enable to true, adding tpm2-tss to environment.systemPackages, rebuilding, and then running systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 /dev/<my encrypted device>. in your case, the device should be /dev/vda2; and if you’re not using secureboot, you may want to change --tpm2-pcrs=0+7 to just --tpm2-pcrs=0

hope this helps :slight_smile:

1 Like
3

Oh yeah, thank you, it worked!

Now two new questions arise to me:

  1. Is it possible to get the same result by using zfs and its encryption?
  2. Is it possible to encrypt also the /boot partition and still unlock with tpm? (I have read about some setups, but with manual password insertion)

Regards

4

Is it possible to get the same result by using zfs and its encryption?

i’m not very familiar with that since i’ve only used luks with zfs, but i know systemd-cryptenroll doesn’t support it. this might be a good resource though

Is it possible to encrypt also the /boot partition and still unlock with tpm?

i’ve only seen this done with grub and with patches. the only real setup guide i’ve found is here and as it’s not officially supported, i will have to say YMMV. i don’t see why it wouldn’t work on nixos though

5

Thank you, I’ll check.
Regards

6

Hi @getchoo and @FStefanni
I tried following these steps and get en error while running cryptenroll:

$ sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0 /dev/nvme0n1p2
Failed to load LUKS2 superblock: Invalid argument

or trying with UUID:

$ sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0 /dev/mapper/luks-025814c8-3dcf-4bd8-b04f-c2abaeb82644
Failed to load LUKS2 superblock: Invalid argument

Here’s my layout (it’s the default from the NixOS installer):

$ lsblk
NAME                                          MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
sda                                             8:0    0   1,8T  0 disk  
├─sda1                                          8:1    0   499M  0 part  
└─sda2                                          8:2    0   1,8T  0 part  
nvme0n1                                       259:0    0 465,8G  0 disk  
├─nvme0n1p1                                   259:1    0   512M  0 part  /boot
├─nvme0n1p2                                   259:2    0 448,1G  0 part  
│ └─luks-025814c8-3dcf-4bd8-b04f-c2abaeb82644 254:1    0 448,1G  0 crypt /nix/store
│                                                                        /
└─nvme0n1p3                                   259:3    0  17,1G  0 part  
  └─luks-d1ccc17e-d9ca-4d5b-83dd-6fd78d93d29b 254:0    0  17,1G  0 crypt [SWAP]

Can you think of what might be the issue here?

7

Maybe not directly but you could create an tiny Luks partition and just store an keyfile on there to unlock zfs.

Does your device have an LUKS2 header?

8

Damn, you’re right, it’s LUKS1. I just used the nixos installer with default settings and this is what I got… I guess the easiest is to reinstall now?

9

What the installer/instructions did depends on when you created it, and what was the default by them :wink:

Ubuntu LUKS cryptsetup upgrade · GitHub describes how you can upgrade your header to V2.

10

Maybe not directly but you could create an tiny Luks partition and just store an keyfile on there to unlock zfs.

Nice idea. I’ll try as soon as I have a little of spare time.
Thank you.
Regards