Closed ddund closed 1 year ago
Clevis is not required for TPM auto-unlockiung of LUKS encrypted volumes.
Have you seen systemd-cryptenroll
? Here's an example article: https://fedoramagazine.org/use-systemd-cryptenroll-with-fido-u2f-or-tpm2-to-decrypt-your-disk/
I haven't personally tested with a FIDO/U2F key but I have done something very similar with TPM.
In my personal ublue-based image, I have these scripts for enabling/disabling auto-unlock:
Clevis is not required for TPM auto-unlockiung of LUKS encrypted volumes.
Have you seen
systemd-cryptenroll
? Here's an example article: https://fedoramagazine.org/use-systemd-cryptenroll-with-fido-u2f-or-tpm2-to-decrypt-your-disk/I haven't personally tested with a FIDO/U2F key but I have done something very similar with TPM.
In my personal ublue-based image, I have these scripts for enabling/disabling auto-unlock:
* https://github.com/bsherman/ublue-custom/blob/main/usr/bin/luks-enable-tpm2-autounlock * https://github.com/bsherman/ublue-custom/blob/main/usr/bin/luks-disable-tpm2-autounlock
I didn't know that systemd was capable of unlocking as well. Thanks for the reference and the two example scripts for auto-unlock. I will look into them.
I tested this process on Bluefin 40 and it works. https://fedoramagazine.org/automatically-decrypt-your-disk-using-tpm2/
Describe the package
Previously I've used this approach from the RHEL 9 documentation to configure automatic unlocking of LUKS-encrypted volume(s) on boot. I haven't found a way to do the same through distro- or toolbox.
I don't know if it's possible to enable this without adding the packages
clevis-luks
andclevis-dracut
. If not, it would be nice to add those packages.Information on the package
Name : clevis-luks Version : 19 Release : 2.fc38 Architecture : x86_64 Size : 72 k Source : clevis-19-2.fc38.src.rpm Repository : @System From repo : fedora Summary : LUKS integration for clevis URL : https://github.com/latchset/clevis License : GPLv3+ Description : LUKS integration for clevis. This package allows you to bind a LUKS : volume to a clevis unlocking policy. For automated unlocking, an unlocker : will also be required. See, for example, clevis-dracut and clevis-udisks2.
Name : clevis-dracut Version : 19 Release : 2.fc38 Architecture : x86_64 Size : 11 k Source : clevis-19-2.fc38.src.rpm Repository : fedora Summary : Dracut integration for clevis URL : https://github.com/latchset/clevis License : GPLv3+ Description : Automatically unlocks LUKS block devices in early boot.
Image
All Images