documentation/docs/void-desktop-setup/Automatic-decryption.md

(unfinished)

Using Clevis it's possible to automatically decrypt the system upon startup. But because we haven't been able to figure out how to create a functional template file for that we'll have to compile it ourselves. Note that you must use the `booster` initramfs. (A lot more information about the possibilities from clevis can be found on the [ArchWiki](https://wiki.archlinux.org/title/Clevis))

#### Installing José

First we have to compile [José](https://github.com/latchset/jose), a "C-language implementation of Javascript Object Signing and Encryption". José is a dependency of Clevis.
First install the dependencies needed to compile josé.

```
# xbps-install -Sy pkg-config zlib-devel jansson-devel openssl-devel jq-devel gcc meson ninja asciidoc
```

After that we have to obtain the source of José:

```
$ xbps-fetch https://github.com/latchset/jose/archive/refs/tags/v11.tar.gz
```

Unpack the Tar and go into the directory and follow the rest of these instructions:

```
$ mkdir build && cd build
$ meson .. --prefix=/usr
$ ninja
# ninja install
```

#### Installing Clevis

After having installed José install the other dependencies.

```
# xbps-install -Sy luksmeta cryptsetup-devel tpm2-tools libpwquality-devel
(probably missing a few)
```

Then clone the source code into a directory

```
$ xbps-fetch https://github.com/latchset/clevis/archive/refs/tags/v19.tar.gz
```

After unpacking and going into the directory follow the rest of these instructions:

```
$ meson build
$ ninja -C build
# ninja -C build install
```

#### Acquiring automatic decryption

To bind our LUKS volume to TPM with clevis simply enter this command:

```
# clevis luks bind -d /dev/disk/by-label/luks tpm2 '{"pcr_bank":"sha256","pcr_ids":"1,7"}'
# xbps-reconfigure -f linux<version>
```

This will bind the partition with TPM2 and [secureboot](https://git.bijl.us/lnco/void-desktop-guide/wiki/Secure-boot.-) and now the root partition can be unencrypted on startup automatically.
Added a lot of pages 2023-08-16 23:13:16 +02:00			`(unfinished)`
First pages 2023-08-16 22:09:10 +02:00
			Using Clevis it's possible to automatically decrypt the system upon startup. But because we haven't been able to figure out how to create a functional template file for that we'll have to compile it ourselves. Note that you must use the `booster` initramfs. (A lot more information about the possibilities from clevis can be found on the [ArchWiki](https://wiki.archlinux.org/title/Clevis))

			`#### Installing José`

			`First we have to compile [José](https://github.com/latchset/jose), a "C-language implementation of Javascript Object Signing and Encryption". José is a dependency of Clevis.`
			`First install the dependencies needed to compile josé.`

			```
			`# xbps-install -Sy pkg-config zlib-devel jansson-devel openssl-devel jq-devel gcc meson ninja asciidoc`
			```

			`After that we have to obtain the source of José:`

			```
			`$ xbps-fetch https://github.com/latchset/jose/archive/refs/tags/v11.tar.gz`
			```

			`Unpack the Tar and go into the directory and follow the rest of these instructions:`

			```
			`$ mkdir build && cd build`
			`$ meson .. --prefix=/usr`
			`$ ninja`
			`# ninja install`
			```

			`#### Installing Clevis`

			`After having installed José install the other dependencies.`

			```
			`# xbps-install -Sy luksmeta cryptsetup-devel tpm2-tools libpwquality-devel`
			`(probably missing a few)`
			```

			`Then clone the source code into a directory`

			```
			`$ xbps-fetch https://github.com/latchset/clevis/archive/refs/tags/v19.tar.gz`
			```

			`After unpacking and going into the directory follow the rest of these instructions:`

			```
			`$ meson build`
			`$ ninja -C build`
			`# ninja -C build install`
			```

			`#### Acquiring automatic decryption`

			`To bind our LUKS volume to TPM with clevis simply enter this command:`

			```
			`# clevis luks bind -d /dev/disk/by-label/luks tpm2 '{"pcr_bank":"sha256","pcr_ids":"1,7"}'`
			`# xbps-reconfigure -f linux<version>`
			```

			`This will bind the partition with TPM2 and [secureboot](https://git.bijl.us/lnco/void-desktop-guide/wiki/Secure-boot.-) and now the root partition can be unencrypted on startup automatically.`