2023-09-08 10:53:35 +02:00
# Automatic decryption
2023-08-16 22:09:10 +02:00
2023-09-08 10:53:35 +02:00
Using Clevis it's possible to automatically decrypt the system upon startup. Note that you must use the `booster` initramfs which should be installed if you followed this guide. (A lot more information about the possibilities from Clevis can be found on the [ArchWiki ](https://wiki.archlinux.org/title/Clevis ))
2023-08-16 22:09:10 +02:00
2023-09-08 10:53:35 +02:00
## Installation
2023-08-16 22:09:10 +02:00
2023-09-08 10:53:35 +02:00
Installing clevis is straightforward:
2023-08-16 22:09:10 +02:00
```
2023-09-08 10:53:35 +02:00
# xbps-install -Sy clevis
2023-08-16 22:09:10 +02:00
```
2023-09-08 10:53:35 +02:00
## Acquiring automatic decryption
2023-08-16 22:09:10 +02:00
2023-09-08 10:53:35 +02:00
To bind our LUKS volume to TPM with clevis simply enter this command:
2023-08-16 22:09:10 +02:00
```
2023-09-08 10:53:35 +02:00
# clevis luks bind -d /dev/disk/by-label/luks tpm2 '{"pcr_bank":"sha256","pcr_ids":"1,7"}'
# xbps-reconfigure -f linux<version>
2023-08-16 22:09:10 +02:00
```
2023-09-08 10:53:35 +02:00
This will bind the partition with TPM2 and Secureboot and now the root partition can be unencrypted on startup automatically.
2023-08-16 22:09:10 +02:00
2023-09-08 10:53:35 +02:00
If any changes have been made to the Bios or Secureboot and Clevis doesn't automatically decrypt the disk again. Clevis will have to be envoked again.
2023-08-16 22:09:10 +02:00
```
2023-09-08 10:53:35 +02:00
# clevis luks regen -d /dev/disk/by-label/luks -s <keyslot>
2023-08-16 22:09:10 +02:00
```
2023-09-08 10:53:35 +02:00
The keyslot can be found with:
2023-08-16 22:09:10 +02:00
```
2023-09-08 10:53:35 +02:00
# cryptsetup luksDump /dev/disk/by-label/luks
2023-08-16 22:09:10 +02:00
```
