Last active
May 6, 2023 14:02
-
-
Save dcode/148d4f8a45cf11f18413daa713c69685 to your computer and use it in GitHub Desktop.
Updates the TPM enrollment for LUKS encrypted volumes using PCR7
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This assumes you have already setup a LUKS volume with a password (which you will need for this process) | |
| # This process will create a recovery key (which you need to save in a safe place), enroll a LUKS key in the | |
| # TPM using PCR 7 to check secure boot state (see https://www.freedesktop.org/software/systemd/man/systemd-cryptenroll.html). | |
| # Finally, it will remove the password, leaving the TPM and the recovery key. You will need the recovery key | |
| # if you install a firmware update that modifies the secure boot state | |
| # !!!! WARNING - WARNING - WARNING !!!! | |
| # I recommend you copy/paste this and do it one line at a time, not automated in a for loop | |
| # like below. I wrote it this way to serve more as documentation. If this doesn't go right, you'll have | |
| # a storage volume(s) full of random data that is irrecoverable. | |
| # Identify your luks partitions, it contains a "crypt" child partition | |
| CPARTS=$(lsblk -J | jq '.. | select(.children? and .children[].type=="crypt").name' -r) | |
| for entry in ${CPARTS[*]}; do | |
| echo "=== This will prompt for your current LUKS password for /dev/${entry} ===" | |
| sudo systemd-cryptenroll "/dev/${entry}" --recovery-key | |
| echo -e "\n=== Press any key to continue. ===" | |
| read -n 1 | |
| echo "=== Wiping password /dev/${entry} ===" | |
| sudo systemd-cryptenroll "/dev/${entry}" --wipe-slot=password | |
| echo "=== Enrolling key in TPM for /dev/${entry}. This will prompt for your recovery key. ===" | |
| sudo systemd-cryptenroll "/dev/${entry}" --tpm2-device=auto --tpm2-pcrs=7 | |
| done | |
| # It is set up correctly when the output of the following command has tpm2 in slot 0 and recovery in slot 1. | |
| # The first slot available is used when booting. If the recovery key is first in the list, you will have to | |
| # enter it every time. | |
| for entry in ${CPARTS[*]}; do | |
| echo "=== Keys enrolled for /dev/${entry} ===" | |
| sudo systemd-cryptenroll "/dev/${entry}" | |
| done |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Identify your luks partitions, it contains a "crypt" child partition | |
| CPARTS=$(lsblk -J | jq '.. | select(.children? and .children[].type=="crypt").name' -r) | |
| for entry in ${CPARTS[*]}; do | |
| sudo systemd-cryptenroll "/dev/${entry}" --tpm2-device=auto --wipe-slot=tpm2 --tpm2-pcrs=7 | |
| # This will prompt for your recovery key | |
| done |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Just be sure you know what you're doing. If you mess this up, your system is unrecoverable even by the best forensics analysts. You should have already followed one of the various tutorials on setting up your system to use TPM2 entries as the LUKS keys AND have generated a recovery key for each partition.