Added automatic decryption page
This commit is contained in:
parent
17563f77cf
commit
535276089f
1 changed files with 31 additions and 0 deletions
|
|
@ -0,0 +1,31 @@
|
||||||
|
# Automatic decryption
|
||||||
|
|
||||||
|
Our system can utilize it's TPM2 to automatically decrypt. This can be done because the bootchain is secure and it's a bit tedious to enter an encryption password everytime the system boots up.
|
||||||
|
|
||||||
|
First off the packages `clevis` and `tpm2-tools` have to be installed:
|
||||||
|
|
||||||
|
```
|
||||||
|
$ <nix-env -iA nixpkgs.clevis>
|
||||||
|
# <apk add tpm2-tools>
|
||||||
|
```
|
||||||
|
|
||||||
|
> Not yet doable (but will be don't worry ;) )
|
||||||
|
|
||||||
|
Now bind our LUKS volume to TPM with clevis:
|
||||||
|
|
||||||
|
```
|
||||||
|
# clevis luks bind -d /dev/<disk2> tpm2 '{"pcr_bank":"sha256","pcr_ids":"1,7"}'
|
||||||
|
```
|
||||||
|
|
||||||
|
After rebooting it should automatically decrypt your disk.
|
||||||
|
|
||||||
|
Clevis can be envoked again if you have made any changes to secureboot or system and it doesn't automatically decrypt the disk.
|
||||||
|
|
||||||
|
First find the keyslot clevis is using and then "regen" the key:
|
||||||
|
|
||||||
|
```
|
||||||
|
# cryptsetup luksDump /dev/<disk2>
|
||||||
|
# clevis luks regen -d /dev/<disk2> -s <keyslot>
|
||||||
|
```
|
||||||
|
|
||||||
|
It should now work again.
|
||||||
Loading…
Reference in a new issue