search

ublue-os / main

OCI base images of Fedora with batteries included
https://universal-blue.org/images/main/
Apache License 2.0
496 stars 48 forks source link

Automatically unlock LUKS-encrypted volume (on boot) #328

Closed ddund closed 1 year ago

ddund commented 1 year ago

Describe the package

Previously I've used this approach from the RHEL 9 documentation to configure automatic unlocking of LUKS-encrypted volume(s) on boot. I haven't found a way to do the same through distro- or toolbox.

I don't know if it's possible to enable this without adding the packages clevis-luks and clevis-dracut. If not, it would be nice to add those packages.

Information on the package

Name : clevis-luks Version : 19 Release : 2.fc38 Architecture : x86_64 Size : 72 k Source : clevis-19-2.fc38.src.rpm Repository : @System From repo : fedora Summary : LUKS integration for clevis URL : https://github.com/latchset/clevis License : GPLv3+ Description : LUKS integration for clevis. This package allows you to bind a LUKS : volume to a clevis unlocking policy. For automated unlocking, an unlocker : will also be required. See, for example, clevis-dracut and clevis-udisks2.

Name : clevis-dracut Version : 19 Release : 2.fc38 Architecture : x86_64 Size : 11 k Source : clevis-19-2.fc38.src.rpm Repository : fedora Summary : Dracut integration for clevis URL : https://github.com/latchset/clevis License : GPLv3+ Description : Automatically unlocks LUKS block devices in early boot.

Image

All Images

bsherman commented 1 year ago

Clevis is not required for TPM auto-unlockiung of LUKS encrypted volumes.

Have you seen systemd-cryptenroll? Here's an example article: https://fedoramagazine.org/use-systemd-cryptenroll-with-fido-u2f-or-tpm2-to-decrypt-your-disk/

I haven't personally tested with a FIDO/U2F key but I have done something very similar with TPM.

In my personal ublue-based image, I have these scripts for enabling/disabling auto-unlock:

ddund commented 1 year ago

Clevis is not required for TPM auto-unlockiung of LUKS encrypted volumes.

Have you seen systemd-cryptenroll? Here's an example article: https://fedoramagazine.org/use-systemd-cryptenroll-with-fido-u2f-or-tpm2-to-decrypt-your-disk/

I haven't personally tested with a FIDO/U2F key but I have done something very similar with TPM.

In my personal ublue-based image, I have these scripts for enabling/disabling auto-unlock:

* https://github.com/bsherman/ublue-custom/blob/main/usr/bin/luks-enable-tpm2-autounlock

* https://github.com/bsherman/ublue-custom/blob/main/usr/bin/luks-disable-tpm2-autounlock

I didn't know that systemd was capable of unlocking as well. Thanks for the reference and the two example scripts for auto-unlock. I will look into them.

dylanmtaylor commented 5 months ago

I tested this process on Bluefin 40 and it works. https://fedoramagazine.org/automatically-decrypt-your-disk-using-tpm2/