LUKS encryption with TPM2 for Auto decryption

A simple guide to setting up LUKS encryption on RHEL8 with TPM2 for Auto decryption:

Assumption: RHEL8 installed with luks encryption for the root partitions (with or without LMV)

========================================

Install the tools

========================================

yum install clevis.x86_64 clevis-dracut.x86_64 clevis-luks.x86_64 clevis-systemd.x86_64 clevis-udisks2.x86_64

========================================

Contents of /etc/fstab

========================================

[root@localhost ~]# cat /etc/fstab

/dev/mapper/luks-798d5c73-5732-4b01-82c9-d70ed35f4fca / xfs defaults,x-systemd.device-timeout=0 0 0

UUID=790e3e33-65cc-4c76-8986-417cd1ac2cc9 /boot xfs defaults 0 0

UUID=CE75-FD1E /boot/efi vfat umask=0077,shortname=winnt 0 2

/dev/mapper/luks-f027a442-9fef-41d3-9c1b-a1a4c83f457e /home xfs defaults,x-systemd.device-timeout=0 0 0

/dev/mapper/luks-dac3198e-b427-451a-b3e8-2690c9ecdb38 /var xfs defaults,x-systemd.device-timeout=0 0 0

/dev/mapper/luks-3e9763b0-ce19-4f01-afca-1fdce8c1722a /var/log xfs defaults,x-systemd.device-timeout=0 0 0

/dev/mapper/luks-a545141d-0f48-4f6e-90e0-58ebd73a5b78 /var/log/audit xfs defaults,x-systemd.device-timeout=0 0 0

/dev/mapper/luks-44edea49-a62d-4042-9aed-8ffbdeec30b8 none swap defaults,x-systemd.device-timeout=0 0 0

========================================

This is our disk layout

========================================

[root@localhost ~]# lsblk

NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT

sr0 11:0 1 9.4G 0 rom

nvme0n1 259:0 0 20G 0 disk

├─nvme0n1p1 259:1 0 500M 0 part /boot/efi

├─nvme0n1p2 259:2 0 1000M 0 part /boot

├─nvme0n1p3 259:3 0 4.9G 0 part

│ └─luks-798d5c73-5732-4b01-82c9-d70ed35f4fca 253:4 0 4.9G 0 crypt /

├─nvme0n1p4 259:4 0 4.9G 0 part

│ └─luks-dac3198e-b427-451a-b3e8-2690c9ecdb38 253:1 0 4.9G 0 crypt /var

├─nvme0n1p5 259:5 0 2G 0 part

│ └─luks-3e9763b0-ce19-4f01-afca-1fdce8c1722a 253:3 0 2G 0 crypt /var/log

├─nvme0n1p6 259:6 0 2G 0 part

│ └─luks-a545141d-0f48-4f6e-90e0-58ebd73a5b78 253:0 0 2G 0 crypt /var/log/audit

├─nvme0n1p7 259:7 0 1002M 0 part

│ └─luks-f027a442-9fef-41d3-9c1b-a1a4c83f457e 253:5 0 986M 0 crypt /home

└─nvme0n1p8 259:8 0 3.9G 0 part

└─luks-44edea49-a62d-4042-9aed-8ffbdeec30b8 253:2 0 3.9G 0 crypt [SWAP]

==============================================================

We had to bind to tmp2 for each encyrpted partition

==============================================================

clevis luks bind -d /dev/nvme0n1p3 tpm2 '{"pcr_ids":"7"}'

clevis luks bind -d /dev/nvme0n1p4 tpm2 '{"pcr_ids":"7"}'

clevis luks bind -d /dev/nvme0n1p5 tpm2 '{"pcr_ids":"7"}'

clevis luks bind -d /dev/nvme0n1p6 tpm2 '{"pcr_ids":"7"}'

clevis luks bind -d /dev/nvme0n1p7 tpm2 '{"pcr_ids":"7"}'

clevis luks bind -d /dev/nvme0n1p8 tpm2 '{"pcr_ids":"7"}'

===========================

Check the tmp bind

===========================

[root@localhost ~]# for i in {3..8}; do clevis luks list -d /dev/nvme0n1p${i}; done

1: tpm2 '{"hash":"sha256","key":"ecc","pcr_bank":"sha1","pcr_ids":"7"}'

================================================================

modified GRUB_CMDLINE_LINUX in /etc/default/grub to update grub config to include all luks devices

=======================================================

GRUB_CMDLINE_LINUX="grashkernel=auto resume=/dev/mapper/luks-44edea49-a62d-4042-9aed-8ffbdeec30b8 rd.luks.uuid=luks-798d5c73-5732-4b01-82c9-d70ed35f4fca rd.luks.uuid=luks-44edea49-a62d-4042-9aed-8ffbdeec30b8 rd.luks.uuid=luks-798d5c73-5732-4b01-82c9-d70ed35f4fca rd.luks.uuid=luks-f027a442-9fef-41d3-9c1b-a1a4c83f457e rd.luks.uuid=luks-3e9763b0-ce19-4f01-afca-1fdce8c1722a rd.luks.uuid=luks-a545141d-0f48-4f6e-90e0-58ebd73a5b78 rd.luks.uuid=luks-dac3198e-b427-451a-b3e8-2690c9ecdb38 rd.luks.uuid=luks-44edea49-a62d-4042-9aed-8ffbdeec30b8 rhgb quiet"

================================

updated the grub config

=================================

grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg

=================================

Rebuild the initrd

=================================

dracut -fv --regenerate-all

==================================

rebooted. Checked the proc--cmdline

====================================

[root@localhost ~]# cat /proc/cmdline

BOOT_IMAGE=(hd0,gpt2)/vmlinuz-4.18.0-305.19.1.el8_4.x86_64 root=UUID=a0c7c305-0916-4d3b-9e4c-0ac67da7d873 ro grashkernel=auto resume=/dev/mapper/luks-44edea49-a62d-4042-9aed-8ffbdeec30b8 rd.luks.uuid=luks-798d5c73-5732-4b01-82c9-d70ed35f4fca rd.luks.uuid=luks-44edea49-a62d-4042-9aed-8ffbdeec30b8 rd.luks.uuid=luks-798d5c73-5732-4b01-82c9-d70ed35f4fca rd.luks.uuid=luks-f027a442-9fef-41d3-9c1b-a1a4c83f457e rd.luks.uuid=luks-3e9763b0-ce19-4f01-afca-1fdce8c1722a rd.luks.uuid=luks-a545141d-0f48-4f6e-90e0-58ebd73a5b78 rd.luks.uuid=luks-dac3198e-b427-451a-b3e8-2690c9ecdb38 rd.luks.uuid=luks-44edea49-a62d-4042-9aed-8ffbdeec30b8 rhgb quiet

=======================================================

Page updated

Report abuse