how to use "cryptomount -k KEYFILE -s"

[momiji]

Hello, thank's a lot for your contribution, as we are trying to use tpm-luks on rhel7. I was curious if we could get rid of tp-luks and use cryptomount -k KEYFILE -s. For what I understand, -K KEYFILE specifies the file to use by LUKS, so no more nead to use a password, and -s mean unsealing the file (decrypt ?) using the unseal command of the TPM. If this is all true, I haven't yet found a way to seal the file, is there something special to do for this ? Is it using PCR or something else ? Or maybe I am totaly wrong and this has nothing to do with luks. FYI: i finnaly get my rhel7 working with grub2 + tpm-luks + recompiled(trousers,tpm-tools) and it automatically open luks using NVRAM secured with PCR without password.

[neusdan]

Hi,

"For what I understand, -K KEYFILE specifies the file to use by LUKS, so no more nead to use a password"

yes exactly.

"and -s mean unsealing the file (decrypt ?) using the unseal command of the TPM"

yes, the file is unsealed by TrustedGRUB2. The information to which PCRs the file is sealed is contained in the sealed blob.

The Sealing itself can't be done by TrustedGRUB2 itself. We have our own library for tpm operations, so i haven't tested it, but i think you could use tpm_sealdata to seal the keyfile. Currently this is only possible with the SRK and the well known secret (20 zero bytes)