2023-12-27 15:07:54 +01:00
# Automatic decryption
2024-07-10 22:26:12 +02:00
TPM can be used to automatically decrypt the root partition. This can be done because the bootchain is secure and it is tedious to enter an encryption password everytime the system boots up.
2023-12-27 15:07:54 +01:00
2024-07-10 22:26:12 +02:00
Both `clevis` and `tpm2-tools` will be used and can be installed with `nix` by
```
$ nix-env -iA nixpkgs.clevis
$ nix-env -iA nixpkgs.tpm2-tools
```
This allows for the binding of the luks encrypted root partition to TPM with clevis:
2023-12-27 15:07:54 +01:00
```
2024-03-24 17:50:49 +01:00
# clevis luks bind -d /dev/<disk2> tpm2 '{"pcr_bank":"sha256","pcr_ids":"0,1,5,7"}'
2023-12-27 15:07:54 +01:00
```
2024-07-10 22:26:12 +02:00
After rebooting it should automatically decrypt the disk.
2023-12-27 15:07:54 +01:00
2024-07-10 22:26:12 +02:00
Clevis can be evoked again if automatic decryption has been disabled due to changes to secureboot or the system.
2023-12-27 15:07:54 +01:00
2024-07-10 22:26:12 +02:00
First find the keyslot `clevis` is using and then regenerate the key by:
2023-12-27 15:07:54 +01:00
```
# cryptsetup luksDump /dev/<disk2>
# clevis luks regen -d /dev/<disk2> -s <keyslot>
```
2024-07-10 22:26:12 +02:00
If done correctly it should work again.
