Storing your LUKS key in sealed TPM keyfile
First read BUILD, to make sure you have all the runtime pre-reqs installed, including the upstream trousers and tpm-tools packages.
A. Requirements and support B. Setup C. Initialization D. Upkeep E. Security Considerations
=== A. Requirements and support ===
Of course, to use the TPM to automatically unlock a LUKS partition, you'll actually need a TPM in the computer. Additionally, you'll need to enable it in the BIOS to ensure that it is usable by Linux. You can check that your TPM is available by looking for /dev/tpm0, which will exist if a kernel driver is loaded. As of the last modification, most distributions have the kernel drivers enabled.
Install the requirements, which includes: a. trousers >= 0.3.9 (included in most modern distros) b. TrustedGRUB2 >= 1.4.1 NOTE: This tpm-luks assumes that the kernel/initramfs are measured into PCR 14. These changes are available in the "rpm_fixes" branch of the GeisingerBTI fork of TrustedGRUB2 (see https://github.com/GeisingerBTI/TrustedGRUB2) c. tpm-tools >= 1.3.9 NOTE: This tpm-tools incorporates a needed feautre addition to the stock tpm-tools, These changes are available in the git repository at https://github.com/GeisingerBTI/tpm-tools. The branch "sealdata_expectedPCR" includes the single necessary change, and the "rpm_fixes" branch incorporates the change and cleanly builds an RPM.
Support I have only tested the functionality on RHEL7-based distributions (CentOS, SL, etc.). Other distributions are currently unsupported, but patches are welcome to increase the support level for other distributions.
=== B. Setup ===
Enable the TPM Within the BIOS, ensure that the TPM is enabled. You can check the status with /sys/class/tpm/tpm0/device/enabled
Install tpm-luks
Installing by building an RPM and installing the RPM is the preferred method of installation.
Building an RPM is outside the scope of this document.
Edit /etc/tpm-luks.conf If you installed via RPM, /etc/tpm-luks.conf should already be populated with the LUKS partitions that would automatically unlock at boot time, as seen in /etc/crypttab.
Build a new initramfs. You need to include the code to query the TPM at boot time, and this will do it for you.
Reboot You need to reboot in order to properly load all of the modules that tpm-luks has changed.
=== C. Initialization ===
OPTIONAL: If you would like to set a TPM owner password, you will need to take ownership manually.
By default, on initialization, tpm-luks will take ownership with the Well-Known-Secret
(20 bytes of "0") as the owner password. If you choose to take ownership manually, tpm-luks REQUIRES
the Well-Known-Secret for the SRK.
Initialize the keys and seal to expected PCRs By running "tpm-luks-init" (as root), tpm-luks will do the following: a. Create a random 32-byte key used to unlock the LUKS partition. b. Seal the key to the precomputed PCRs and place the sealed file in the unencrypted /boot partition. c. Add the key to the highest numbered unused LUKS slot. Will require an existing passphrase to enable.
That's it! On next reboot, under "normal" circumstances, there should be no passphrase prompt.
=== D. Upkeep ===
tpm-luks installs a yum post-transaction hook in /etc/yum/post-actions/tpm-luks.action. Whenever the kernel
package is updated, the hook runs the tpm-luks-update script, which attempts to migrate your current sealed
key to a new set of precomputed PCRs. To allow for repeated kernel updates, the current sealed file is moved
to "
=== E. Security Considerations ===
When used as expected, tpm-luks should defend against most attacks that require physical access but no special hardware.
These attacks include:
Note however, that if you start "tcsd" and keep it running, you may create a security vulnerability where an authorized user could elevate privilege to root with physical access to the machine. The attack would happen as follows:
By not running "tcsd" or by limiting its use by normal users, step #2 in the attack above is impossible.