Full disk encryption + TPM2

FStefanni · June 21, 2023, 5:59pm

Hi,

I am trying to setup a full encrypted disk, which will automatically unlock using TPM2.
At the moment I have been able to achieve the OS installation, but now I am stuck unknowing how to setup the automatic unlock.
I have read on internet that some programs (as dracut) can be used, but also, according to a nixos issue, it should be useless: systemd-cryptenroll should be enough… so how am I supposed to proceed?

My current configuration is:
/vda1: the efi/boot partition
/vda2: the encrypted partition, with LVM swap and root partitions.

I am using the nixos unstable version, and I am testing the installation in a KVM VM.

Thank you for the help,
regards.

getchoo · June 21, 2023, 10:09pm

i did this by setting boot.initrd.systemd.enable to true, adding tpm2-tss to environment.systemPackages, rebuilding, and then running systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 /dev/<my encrypted device>. in your case, the device should be /dev/vda2; and if you’re not using secureboot, you may want to change --tpm2-pcrs=0+7 to just --tpm2-pcrs=0

hope this helps

FStefanni · June 22, 2023, 6:57am

Oh yeah, thank you, it worked!

Now two new questions arise to me:

Is it possible to get the same result by using zfs and its encryption?
Is it possible to encrypt also the /boot partition and still unlock with tpm? (I have read about some setups, but with manual password insertion)

Regards

getchoo · June 22, 2023, 1:33pm

Is it possible to get the same result by using zfs and its encryption?

i’m not very familiar with that since i’ve only used luks with zfs, but i know systemd-cryptenroll doesn’t support it. this might be a good resource though

Is it possible to encrypt also the /boot partition and still unlock with tpm?

i’ve only seen this done with grub and with patches. the only real setup guide i’ve found is here and as it’s not officially supported, i will have to say YMMV. i don’t see why it wouldn’t work on nixos though

FStefanni · June 22, 2023, 2:50pm

Thank you, I’ll check.
Regards

balint · July 14, 2023, 11:28pm

Hi @getchoo and @FStefanni
I tried following these steps and get en error while running cryptenroll:

$ sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0 /dev/nvme0n1p2
Failed to load LUKS2 superblock: Invalid argument

or trying with UUID:

$ sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0 /dev/mapper/luks-025814c8-3dcf-4bd8-b04f-c2abaeb82644
Failed to load LUKS2 superblock: Invalid argument

Here’s my layout (it’s the default from the NixOS installer):

$ lsblk
NAME                                          MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
sda                                             8:0    0   1,8T  0 disk  
├─sda1                                          8:1    0   499M  0 part  
└─sda2                                          8:2    0   1,8T  0 part  
nvme0n1                                       259:0    0 465,8G  0 disk  
├─nvme0n1p1                                   259:1    0   512M  0 part  /boot
├─nvme0n1p2                                   259:2    0 448,1G  0 part  
│ └─luks-025814c8-3dcf-4bd8-b04f-c2abaeb82644 254:1    0 448,1G  0 crypt /nix/store
│                                                                        /
└─nvme0n1p3                                   259:3    0  17,1G  0 part  
  └─luks-d1ccc17e-d9ca-4d5b-83dd-6fd78d93d29b 254:0    0  17,1G  0 crypt [SWAP]

Can you think of what might be the issue here?

shimun · July 15, 2023, 11:43am

Maybe not directly but you could create an tiny Luks partition and just store an keyfile on there to unlock zfs.

balint:

Hi @getchoo and @FStefanni
I tried following these steps and get en error while running cryptenroll:
$ sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0 /dev/nvme0n1p2
Failed to load LUKS2 superblock: Invalid argument

Does your device have an LUKS2 header?

balint · July 16, 2023, 10:18am

Damn, you’re right, it’s LUKS1. I just used the nixos installer with default settings and this is what I got… I guess the easiest is to reinstall now?

flokli · July 16, 2023, 12:59pm

What the installer/instructions did depends on when you created it, and what was the default by them

Ubuntu LUKS cryptsetup upgrade · GitHub describes how you can upgrade your header to V2.

FStefanni · July 17, 2023, 6:13am

Maybe not directly but you could create an tiny Luks partition and just store an keyfile on there to unlock zfs.

Nice idea. I’ll try as soon as I have a little of spare time.
Thank you.
Regards

balint · March 10, 2024, 2:21pm

In case anyone still ends up on this thread sometimes, I wrote a guide for my system setup here: A Modern and Secure Desktop Setup

ChocolateLoverRaj · April 28, 2024, 1:06am

I installed NixOS pre-24.04 and chose “encrypt”, but it created LUKS1 instead of LUKS2, which is annoying. I had to upgrade LUKS. Is there a way of installing LUKS2 from the start? Does it need manual partitioning when installing?

FStefanni · April 29, 2024, 6:08am

Hi,

for nixos at the moment I always prefer manual partitioning & installation,
since the installer does not seem to support all the advanced features… and this is a pity…
I do not know if there is a luks2 option directly in the installer.

Regards

balint · April 30, 2024, 5:36pm

I don’t think there’s a way to go with LUKS2 in the installer. You can follow this to upgrade using a live USB or this for a more comprehensive setup guide.

ChocolateLoverRaj · April 30, 2024, 6:59pm

Yeah. In the custom partitioning there’s no option to select LUKS2. Just an “encrypt” checkbox. I used a guide to upgrade to LUKS2.

ChocolateLoverRaj · June 11, 2024, 3:18pm

Would this require using a different method to unlock after every firmware update?
Would this still auto-unlock LUKS from a live USB (of Ubuntu, for example)?

Lyndeno · June 14, 2024, 10:17pm

https://wiki.archlinux.org/title/Trusted_Platform_Module#Accessing_PCR_registers

See this link for PCR registers to bind to.

Binding to PCR 0 would make it so upgrading your system firmware could make the tpm not unlock.

I just use PCR 7 with secure boot enabled, then lock my bios settings with a password. In my case, firmware upgrades do not affect unlocking.

balint · June 15, 2024, 7:24pm

Hey Raj

If you follow the guide I linked earlier that one goes through the entire setup including full disk encryption with LUKS2, auto-unlock with TPM, automatic self signing for secure boot, etc.

Depending on how you set up the TPM pcrs you can get different behaviour but the point is generally that it should not unlock with a live USB, that would make it almost useless.

I haven’t done any UEFI firmware updates since my setup but I can imagine I would need to unlock with the password if that happens and if the PCR for the firmware is added, and then perhaps re-enroll with the same command. So far I never had to unlock with the password after the initial setup.

ChocolateLoverRaj · June 15, 2024, 10:41pm

I did a few days ago.

So would just using PCRs 0 and 7 result in anyone being able to read encrypted files by booting off of USB?

I used PCRs 0+7. I didn’t do firmware updates, but for some reason after I installed a GPU the TPM auto-unlock stopped working. I re-enrolled it by removing the existing one and re-running the command.

balint · June 15, 2024, 10:54pm

I don’t know how it works exactly. It should stop working when you change the installed hardware components, so that’s a good sign. I don’t know how much PCR 0 covers honestly.