lnorg/documentation
1
2
Fork 0
Code Issues 30 Pull requests Projects 6 Activity

Updated automatic-decryption to use clevis package

Browse source
This commit is contained in:
Tastatur 2023-09-08 10:53:35 +02:00
parent 5766dea107
commit b30a146641
1 changed files with 17 additions and 44 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

61
docs/void-desktop-setup/post-installation/automatic-decryption.md
View file

@ -1,52 +1,13 @@
# Automatic decryption *(unfinished)* # Automatic decryption
Using Clevis it's possible to automatically decrypt the system upon startup. But because we haven't been able to figure out how to create a functional template file for that we'll have to compile it ourselves. Note that you must use the `booster` initramfs. (A lot more information about the possibilities from clevis can be found on the [ArchWiki](https://wiki.archlinux.org/title/Clevis)) Using Clevis it's possible to automatically decrypt the system upon startup. Note that you must use the `booster` initramfs which should be installed if you followed this guide. (A lot more information about the possibilities from Clevis can be found on the [ArchWiki](https://wiki.archlinux.org/title/Clevis))
## Installing José ## Installation
First we have to compile [José](https://github.com/latchset/jose), a "C-language implementation of Javascript Object Signing and Encryption". José is a dependency of Clevis. Installing clevis is straightforward:
First install the dependencies needed to compile josé.
``` ```
# xbps-install -Sy pkg-config zlib-devel jansson-devel openssl-devel jq-devel gcc meson ninja asciidoc # xbps-install -Sy clevis
```
After that we have to obtain the source of José:
```
$ xbps-fetch https://github.com/latchset/jose/archive/refs/tags/v11.tar.gz
```
Unpack the Tar and go into the directory and follow the rest of these instructions:
```
$ mkdir build && cd build
$ meson .. --prefix=/usr
$ ninja
# ninja install
```
## Installing Clevis
After having installed José install the other dependencies.
```
# xbps-install -Sy luksmeta cryptsetup-devel tpm2-tools libpwquality-devel
(probably missing a few)
```
Then clone the source code into a directory
```
$ xbps-fetch https://github.com/latchset/clevis/archive/refs/tags/v19.tar.gz
```
After unpacking and going into the directory follow the rest of these instructions:
```
$ meson build
$ ninja -C build
# ninja -C build install
``` ```
## Acquiring automatic decryption ## Acquiring automatic decryption
@ -59,3 +20,15 @@ To bind our LUKS volume to TPM with clevis simply enter this command:
``` ```
This will bind the partition with TPM2 and Secureboot and now the root partition can be unencrypted on startup automatically. This will bind the partition with TPM2 and Secureboot and now the root partition can be unencrypted on startup automatically.
If any changes have been made to the Bios or Secureboot and Clevis doesn't automatically decrypt the disk again. Clevis will have to be envoked again.
```
# clevis luks regen -d /dev/disk/by-label/luks -s <keyslot>
```
The keyslot can be found with:
```
# cryptsetup luksDump /dev/disk/by-label/luks
```