Anduin Xue
Anduin Xue

Anduin's Tech Blog

TPM


Automatically Unlocking LUKS2 Encrypted System Partition Using Clevis and TPM2

This blog post delves into the process of automatically unlocking a LUKS2 encrypted system partition using Clevis and TPM2. To start with, you need to ensure that Secure Boot and TPM are enabled in your BIOS settings. For Secure Boot, you may need to configure your system to trust third-party certificates, which could involve generating a new key pair and certificate for your system, signing your boot loader and kernel with the new key, and enrolling the key in your system's Secure Boot database. The blog proceeds to guide you through the installation of the necessary packages for Clevis, using the command `sudo dnf install clevis clevis-luks clevis-dracut clevis-udisks2 clevis-systemd`. Once installed, the TPM2 key has to be bound to Clevis, which creates a key on the TPM2 chip and binds it to the LUKS2 encrypted system partition. You will be prompted to enter your passkey. The final step involves updating the system files to use Clevis to automatically unlock the system partition...--GPT 4

bash Linux Security LUKS2 Clevis TPM2 TPM

  • 1