search

Wind-River / meta-secure-core

MIT License
21 stars 23 forks source link

Does 'luks-setup.sh` can create password for multiple partitions? #74

Open Dvergatal opened 2 months ago

Dvergatal commented 2 months ago

I do not recall if password stored in tpm can be just one or many and was wondering if this use case which is in the subject is possible to achieve with the script, meaning I have 3 partitions which I would like to make encrypted.

yizhao1 commented 1 month ago

Do you need to set a corresponding key for each partition? If so, the current luks-setup.sh doesn't support it. But you can patch this script, pass --key-slot argument to cryptsetup to specify different slot to store different key.

Here are some references from cryptsetup man page[1][2][3]: --key-slot, -S <0-N> For LUKS operations that add key material, this option allows you to specify which key slot is selected for the new key.

--new-key-slot <0-N> This option allows you to specify which key slot is selected for the new key.

[1] https://man7.org/linux/man-pages/man8/cryptsetup-luksformat.8.html [2] https://man7.org/linux/man-pages/man8/cryptsetup-luksOpen.8.html [3] https://man7.org/linux/man-pages/man8/cryptsetup-luksAddKey.8.html

Dvergatal commented 1 month ago

Hi @yizhao1, thx for quick response and sorry for my long but I was on holidays.

Do you need to set a corresponding key for each partition? If so, the current luks-setup.sh doesn't support it. But you can patch this script, pass --key-slot argument to cryptsetup to specify different slot to store different key.

Yes that is what I need it for. I can give a shot :)

P.S. I was also thinking if it is worth doing? Isn't it sufficient to use just one key for all the partitions? If so than how can I re-use the key already in the TPM?

Here are some references from cryptsetup man page[1][2][3]: --key-slot, -S <0-N> For LUKS operations that add key material, this option allows you to specify which key slot is selected for the new key.

--new-key-slot <0-N> This option allows you to specify which key slot is selected for the new key.

[1] https://man7.org/linux/man-pages/man8/cryptsetup-luksformat.8.html [2] https://man7.org/linux/man-pages/man8/cryptsetup-luksOpen.8.html [3] https://man7.org/linux/man-pages/man8/cryptsetup-luksAddKey.8.html

Thx for informations.

yizhao1 commented 1 month ago

Hi @yizhao1, thx for quick response and sorry for my long but I was on holidays.

Do you need to set a corresponding key for each partition? If so, the current luks-setup.sh doesn't support it. But you can patch this script, pass --key-slot argument to cryptsetup to specify different slot to store different key.

Yes that is what I need it for. I can give a shot :)

P.S. I was also thinking if it is worth doing? Isn't it sufficient to use just one key for all the partitions? If so than how can I re-use the key already in the TPM?

It is possible to use one key for all partitions. But it requires some tricks when using luks-setup.sh. When creating the first encrypted partition, you need to pass -e parameter to luks-setup.sh to evict the existing key in the tpm and create a new key. When creating subsequent encrypted partitions without -e parameter, these partitions will use the current key in the tpm. Of course, you can also use cryptfs-tpm2 command to seal the key in tpm before creating the encrypted partition. Then use luks-setup.sh without -e parameter to create all encrypted partitions.

//Yi

Here are some references from cryptsetup man page[1][2][3]: --key-slot, -S <0-N> For LUKS operations that add key material, this option allows you to specify which key slot is selected for the new key. --new-key-slot <0-N> This option allows you to specify which key slot is selected for the new key. [1] https://man7.org/linux/man-pages/man8/cryptsetup-luksformat.8.html [2] https://man7.org/linux/man-pages/man8/cryptsetup-luksOpen.8.html [3] https://man7.org/linux/man-pages/man8/cryptsetup-luksAddKey.8.html

Thx for informations.

Dvergatal commented 1 month ago

Thanks, this is working.

I have one more question for you but it concerns another thread. Could you please answer there?

Dvergatal commented 1 month ago

Thanks, this is working.

I have one more question for you but it concerns another thread. Could you please answer there?

OK no need to answer in that thread. Actually I have forgotten a lot and thx to this blog I have recalled that PCR7 is responsible for Secure Boot State, so I turned it on in UEFI and it started to work...