2.1 KiB
Automatic decryption (unfinished)
Using Clevis it's possible to automatically decrypt the system upon startup. But because we haven't been able to figure out how to create a functional template file for that we'll have to compile it ourselves. Note that you must use the booster initramfs. (A lot more information about the possibilities from clevis can be found on the ArchWiki)
Installing José
First we have to compile José, a "C-language implementation of Javascript Object Signing and Encryption". José is a dependency of Clevis. First install the dependencies needed to compile josé.
# xbps-install -Sy pkg-config zlib-devel jansson-devel openssl-devel jq-devel gcc meson ninja asciidoc
After that we have to obtain the source of José:
$ xbps-fetch https://github.com/latchset/jose/archive/refs/tags/v11.tar.gz
Unpack the Tar and go into the directory and follow the rest of these instructions:
$ mkdir build && cd build
$ meson .. --prefix=/usr
$ ninja
# ninja install
Installing Clevis
After having installed José install the other dependencies.
# xbps-install -Sy luksmeta cryptsetup-devel tpm2-tools libpwquality-devel
(probably missing a few)
Then clone the source code into a directory
$ xbps-fetch https://github.com/latchset/clevis/archive/refs/tags/v19.tar.gz
After unpacking and going into the directory follow the rest of these instructions:
$ meson build
$ ninja -C build
# ninja -C build install
Acquiring automatic decryption
To bind our LUKS volume to TPM with clevis simply enter this command:
# clevis luks bind -d /dev/disk/by-label/luks tpm2 '{"pcr_bank":"sha256","pcr_ids":"1,7"}'
# xbps-reconfigure -f linux<version>
This will bind the partition with TPM2 and secureboot and now the root partition can be unencrypted on startup automatically.