From b30a146641eb460094bac40a3b89519096166216 Mon Sep 17 00:00:00 2001 From: Tastatur Date: Fri, 8 Sep 2023 10:53:35 +0200 Subject: [PATCH] Updated automatic-decryption to use clevis package --- .../post-installation/automatic-decryption.md | 61 ++++++------------- 1 file changed, 17 insertions(+), 44 deletions(-) diff --git a/docs/void-desktop-setup/post-installation/automatic-decryption.md b/docs/void-desktop-setup/post-installation/automatic-decryption.md index cdabb7b..6579034 100644 --- a/docs/void-desktop-setup/post-installation/automatic-decryption.md +++ b/docs/void-desktop-setup/post-installation/automatic-decryption.md @@ -1,52 +1,13 @@ -# Automatic decryption *(unfinished)* +# Automatic decryption -Using Clevis it's possible to automatically decrypt the system upon startup. But because we haven't been able to figure out how to create a functional template file for that we'll have to compile it ourselves. Note that you must use the `booster` initramfs. (A lot more information about the possibilities from clevis can be found on the [ArchWiki](https://wiki.archlinux.org/title/Clevis)) +Using Clevis it's possible to automatically decrypt the system upon startup. Note that you must use the `booster` initramfs which should be installed if you followed this guide. (A lot more information about the possibilities from Clevis can be found on the [ArchWiki](https://wiki.archlinux.org/title/Clevis)) -## Installing José +## Installation -First we have to compile [José](https://github.com/latchset/jose), a "C-language implementation of Javascript Object Signing and Encryption". José is a dependency of Clevis. -First install the dependencies needed to compile josé. +Installing clevis is straightforward: ``` -# xbps-install -Sy pkg-config zlib-devel jansson-devel openssl-devel jq-devel gcc meson ninja asciidoc -``` - -After that we have to obtain the source of José: - -``` -$ xbps-fetch https://github.com/latchset/jose/archive/refs/tags/v11.tar.gz -``` - -Unpack the Tar and go into the directory and follow the rest of these instructions: - -``` -$ mkdir build && cd build -$ meson .. --prefix=/usr -$ ninja -# ninja install -``` - -## Installing Clevis - -After having installed José install the other dependencies. - -``` -# xbps-install -Sy luksmeta cryptsetup-devel tpm2-tools libpwquality-devel -(probably missing a few) -``` - -Then clone the source code into a directory - -``` -$ xbps-fetch https://github.com/latchset/clevis/archive/refs/tags/v19.tar.gz -``` - -After unpacking and going into the directory follow the rest of these instructions: - -``` -$ meson build -$ ninja -C build -# ninja -C build install +# xbps-install -Sy clevis ``` ## Acquiring automatic decryption @@ -59,3 +20,15 @@ To bind our LUKS volume to TPM with clevis simply enter this command: ``` This will bind the partition with TPM2 and Secureboot and now the root partition can be unencrypted on startup automatically. + +If any changes have been made to the Bios or Secureboot and Clevis doesn't automatically decrypt the disk again. Clevis will have to be envoked again. + +``` +# clevis luks regen -d /dev/disk/by-label/luks -s +``` + +The keyslot can be found with: + +``` +# cryptsetup luksDump /dev/disk/by-label/luks +```