man/tpm2-crypttab.sh

   1 # SPDX-License-Identifier: MIT-0
   2
   3 # Enroll the TPM2 security chip in the LUKS2 volume, and bind it to PCR 7
   4 # only. Replace /dev/sdXn by the partition to use (e.g. /dev/sda1).
   5 sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 /dev/sdXn
   6
   7 # Test: Let's run systemd-cryptsetup to test if this worked.
   8 sudo systemd-cryptsetup attach mytest /dev/sdXn none tpm2-device=auto
   9
  10 # If that worked, let's now add the same line persistently to /etc/crypttab,
  11 # for the future. We do not want to use the (unstable) /dev/sdX name, so let's
  12 # figure out a stable link:
  13 udevadm info -q symlink -r /dev/sdXn
  14
  15 # Now add the line using the by-uuid symlink to /etc/crypttab:
  16 sudo bash -c 'echo "mytest /dev/disk/by-uuid/... none tpm2-device=auto" >>/etc/crypttab'
  17
  18 # And now let's check that automatic unlocking works:
  19 sudo systemd-cryptsetup detach mytest
  20 sudo systemctl daemon-reload
  21 sudo systemctl start cryptsetup.target
  22 systemctl is-active systemd-cryptsetup@mytest.service
  23
  24 # Once we have the device which will be unlocked automatically, we can use it.
  25 # Usually we would create a file system and add it to /etc/fstab:
  26 sudo mkfs.ext4 /dev/mapper/mytest
  27 # This prints a 'Filesystem UUID', which we can use as a stable name:
  28 sudo bash -c 'echo "/dev/disk/by-uuid/... /var/mytest ext4 defaults,x-systemd.mkdir 0 2" >>/etc/fstab'
  29 # And now let's check that the mounting works:
  30 sudo systemctl daemon-reload
  31 sudo systemctl start /var/mytest
  32 systemctl status /var/mytest
  33
  34 # Depending on your distribution and encryption setup, you may need to manually
  35 # regenerate your initramfs to be able to use a TPM2 security chip to unlock
  36 # the partition during early boot.
  37 # More information at https://unix.stackexchange.com/a/705809.
  38 # On Fedora based systems:
  39 sudo dracut --force
  40 # On Debian based systems:
  41 sudo update-initramfs -u