Updated automatic-decryption to use clevis package
This commit is contained in:
parent
5766dea107
commit
b30a146641
1 changed files with 17 additions and 44 deletions
|
|
@ -1,52 +1,13 @@
|
|||
# Automatic decryption *(unfinished)*
|
||||
# Automatic decryption
|
||||
|
||||
Using Clevis it's possible to automatically decrypt the system upon startup. But because we haven't been able to figure out how to create a functional template file for that we'll have to compile it ourselves. Note that you must use the `booster` initramfs. (A lot more information about the possibilities from clevis can be found on the [ArchWiki](https://wiki.archlinux.org/title/Clevis))
|
||||
Using Clevis it's possible to automatically decrypt the system upon startup. Note that you must use the `booster` initramfs which should be installed if you followed this guide. (A lot more information about the possibilities from Clevis can be found on the [ArchWiki](https://wiki.archlinux.org/title/Clevis))
|
||||
|
||||
## Installing José
|
||||
## Installation
|
||||
|
||||
First we have to compile [José](https://github.com/latchset/jose), a "C-language implementation of Javascript Object Signing and Encryption". José is a dependency of Clevis.
|
||||
First install the dependencies needed to compile josé.
|
||||
Installing clevis is straightforward:
|
||||
|
||||
```
|
||||
# xbps-install -Sy pkg-config zlib-devel jansson-devel openssl-devel jq-devel gcc meson ninja asciidoc
|
||||
```
|
||||
|
||||
After that we have to obtain the source of José:
|
||||
|
||||
```
|
||||
$ xbps-fetch https://github.com/latchset/jose/archive/refs/tags/v11.tar.gz
|
||||
```
|
||||
|
||||
Unpack the Tar and go into the directory and follow the rest of these instructions:
|
||||
|
||||
```
|
||||
$ mkdir build && cd build
|
||||
$ meson .. --prefix=/usr
|
||||
$ ninja
|
||||
# ninja install
|
||||
```
|
||||
|
||||
## Installing Clevis
|
||||
|
||||
After having installed José install the other dependencies.
|
||||
|
||||
```
|
||||
# xbps-install -Sy luksmeta cryptsetup-devel tpm2-tools libpwquality-devel
|
||||
(probably missing a few)
|
||||
```
|
||||
|
||||
Then clone the source code into a directory
|
||||
|
||||
```
|
||||
$ xbps-fetch https://github.com/latchset/clevis/archive/refs/tags/v19.tar.gz
|
||||
```
|
||||
|
||||
After unpacking and going into the directory follow the rest of these instructions:
|
||||
|
||||
```
|
||||
$ meson build
|
||||
$ ninja -C build
|
||||
# ninja -C build install
|
||||
# xbps-install -Sy clevis
|
||||
```
|
||||
|
||||
## Acquiring automatic decryption
|
||||
|
|
@ -59,3 +20,15 @@ To bind our LUKS volume to TPM with clevis simply enter this command:
|
|||
```
|
||||
|
||||
This will bind the partition with TPM2 and Secureboot and now the root partition can be unencrypted on startup automatically.
|
||||
|
||||
If any changes have been made to the Bios or Secureboot and Clevis doesn't automatically decrypt the disk again. Clevis will have to be envoked again.
|
||||
|
||||
```
|
||||
# clevis luks regen -d /dev/disk/by-label/luks -s <keyslot>
|
||||
```
|
||||
|
||||
The keyslot can be found with:
|
||||
|
||||
```
|
||||
# cryptsetup luksDump /dev/disk/by-label/luks
|
||||
```
|
||||
|
|
|
|||
Loading…
Reference in a new issue