22 lines
891 B
Markdown
22 lines
891 B
Markdown
# Automatic decryption
|
|
|
|
Our system can utilize it's TPM2 to automatically decrypt. This can be done because the bootchain is secure and it's a bit tedious to enter an encryption password everytime the system boots up.
|
|
|
|
If `home-manager` was installed correctly then it should have also installed both `clevis` and `tpm2-tools`. This allows for the binding of the LUKS volume to TPM with clevis:
|
|
|
|
```
|
|
# clevis luks bind -d /dev/<disk2> tpm2 '{"pcr_bank":"sha256","pcr_ids":"0,1,5,7"}'
|
|
```
|
|
|
|
After rebooting it should automatically decrypt your disk.
|
|
|
|
Clevis can be envoked again if you have made any changes to secureboot or to the system and it doesn't automatically decrypt the disk.
|
|
|
|
First find the keyslot clevis is using and then regenerate the key:
|
|
|
|
```
|
|
# cryptsetup luksDump /dev/<disk2>
|
|
# clevis luks regen -d /dev/<disk2> -s <keyslot>
|
|
```
|
|
|
|
If done correctly it should now work again.
|