Option to enroll luks device for unlock methods (e.g. TPM2)

nix-community / disko

Declarative disk partitioning and formatting using nix [maintainers=@Lassulus @Enzime @iFreilicht]

MIT License

1.86k stars 198 forks source link

Open MattSturgeon opened 4 months ago

MattSturgeon commented 4 months ago

It would be useful to have an option for luks devices to enable TPM2 unlock (and maybe others like FIDO2 or PKCS11 too?).

This would be more convenient than running sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 /dev/<device> after using disko.

An error should be thrown if the option is used on a system without TPM2 support.

iFreilicht commented 1 month ago

Wouldn't it be possible to just use something like this?

postCreateHook="systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 /dev/<device>";

Or is there some distinct advantage to implementing this feature in disko directly?

Mic92 commented 1 month ago

It's most a documentation issue I suppose. Having a NixOS option can help with that, but also a template could.