31 lines
908 B
Markdown
31 lines
908 B
Markdown
# Automatic decryption
|
|
|
|
Our system can utilize it's TPM2 to automatically decrypt. This can be done because the bootchain is secure and it's a bit tedious to enter an encryption password everytime the system boots up.
|
|
|
|
First off the packages `clevis` and `tpm2-tools` have to be installed:
|
|
|
|
```
|
|
# <apk add tpm2-tools>
|
|
$ <nix-shell -p clevis>
|
|
```
|
|
|
|
> Not yet doable (but will be don't worry ;) )
|
|
|
|
Now bind our LUKS volume to TPM with clevis:
|
|
|
|
```
|
|
# clevis luks bind -d /dev/<disk2> tpm2 '{"pcr_bank":"sha256","pcr_ids":"0,1,5,7"}'
|
|
```
|
|
|
|
After rebooting it should automatically decrypt your disk.
|
|
|
|
Clevis can be envoked again if you have made any changes to secureboot or system and it doesn't automatically decrypt the disk.
|
|
|
|
First find the keyslot clevis is using and then "regen" the key:
|
|
|
|
```
|
|
# cryptsetup luksDump /dev/<disk2>
|
|
# clevis luks regen -d /dev/<disk2> -s <keyslot>
|
|
```
|
|
|
|
It should now work again.
|