1.1 KiB
1.1 KiB
Automatic decryption
Using Clevis it's possible to automatically decrypt the system upon startup. Note that you must use the booster initramfs which should be installed if you followed this guide. (A lot more information about the possibilities from Clevis can be found on the ArchWiki)
Installation
Installing clevis is straightforward:
# xbps-install -Sy clevis
Acquiring automatic decryption
To bind our LUKS volume to TPM with clevis simply enter this command:
# clevis luks bind -d /dev/disk/by-label/luks tpm2 '{"pcr_bank":"sha256","pcr_ids":"1,7"}'
# xbps-reconfigure -f linux<version>
This will bind the partition with TPM2 and Secureboot and now the root partition can be unencrypted on startup automatically.
If any changes have been made to the Bios or Secureboot and Clevis doesn't automatically decrypt the disk again. Clevis will have to be envoked again.
# clevis luks regen -d /dev/disk/by-label/luks -s <keyslot>
The keyslot can be found with:
# cryptsetup luksDump /dev/disk/by-label/luks