update: ‘secure’ automatic system decryption - tpm2 + LUKS + systemd-cryptenroll

3 minute read

‘Secure’ automatic system decrpytion with tpm and LUKS - update

As I have written about here, I sort of have accepted a compromise in security for added convenience, auto-unlocking my LUKS encrypted root partition making use of my system’s built in TPM in order to only auto-unlock the system under specific (secure) conditions.

I’ve used clevis so far to manage the setup, using the trusty initramfs-tools to configure and bake the initramfs with the required modules and configuration, relying on cryptsetup to manage and reset the specifics of the configuration, e.g. whenever a bios update invalidated a PCR measurement.

Not that elegant. And there are new, more elegant and capable mechanisms available!

  • There is systemd-cryptenroll to enroll physical tokens to LUKS2 encrypted volumes, simplifying the setup and management of this part of the process
  • There is dracut for the configuration and management of initramfs images, the designated successor of initramfs-tools

While my previous setup worked, I wanted to try setting it up with the (designated) successor systems.

Well. To be honest, first I just wanted to try out systemd-cryptenroll instead of clevis, realized that the intended way of configuring auto-unlocking didn’t work with initramfs-tools, realized that (due to that, amongst other things) there have been discussions about replacing initramfs-tools with dracut as default and then decided to redo the whole process.

The Problem

Well, it’s not really a new problem, it’s an itch and a mental problem, I guess 😅. The original challenge, shifting the compromise of convenience vs. security a little by auto-unlocking the encrypted system with the help of the TPM has been working for a while.

But:

  • systemd-cryptenroll exists, potential successor to clevis
  • dracut exists, potential successor to initramfs-tools
  • Both of those systems are very capable
  • My setup is using their (potential) predecessors

The solution

systemd-cryptenroll

Installing systemd-cryptenroll on Debian is easy enough. It comes with systemd-cryptsetup, which might be on your system already? If not:

sudo apt-get install systemd-cryptsetup

Then, enrolling the TPM with the encrypted partition is pretty straightforward:

sudo systemd-cryptenroll --tpm2-device=auto /dev/nvme0n1p3

Depending on your needs/level-of-paranoia, you might want to add other PCRs, as systemd-cryptenroll per default only uses PCR 7, maybe you even want to use TPM + PIN:

sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7+11 --tpm2-with-pin=yes /dev/nvme0n1p3

You follow the guided process, and then can verify success. Hopefully.

sudo systemd-cryptenroll /dev/nvme0n1p3
SLOT TYPE
   0 password
   1 tpm2

Configuration should (™️) work by configuring the tpm in /etc/crypttab and rebuilding the initramfs with it:

cat /etc/crypttab
nvme0n1p3_crypt UUID=e010d6c1-6016-4f2d-bd05-1be8f383ada9 none tpm2-device=auto,luks,discard

building the initramfs with initramfs-tools (fail)

But, alas, rebuilding the initial ram disk fails on Debian and should also fail on Ubuntu:

sudo update-initramfs -u -k all
...
cryptsetup: WARNING: nvme0n1p3_crypt: ignoring unknown option 'tpm2-device'
...

After a bit of research: initramfs-tools doesn’t support tpm2 devices. There is a bug report and even an open merge request with a fix, but the situation appears to be stale.

However, there is the designated successor of initramfs-tools: dracut, which has replaced initramfs-tools in a bunch of linux distributions already.

building the initramfs with dracut

On debian and Ubuntu, it can be installed from the package sources like this, replacing initramfs-tools in the process:

sudo apt-get install dracut

Configuration of dracut happens in /etc/dracut.conf.d/*.conf.

I configured dracut to run the host-only initramfs creation with tpm2 support and compress with lz4, all in separate files:

cat /etc/dracut.conf.d/compression.conf
compress="lz4"

cat /etc/dracut.conf.d/hostonly.conf
hostonly="yes"
hostonly_cmdline="no"

cat /etc/dracut.conf.d/tpm.conf
add_dracutmodules+=" tpm2-tss crypt "
add_drivers+=" tpm tpm_tis_core tpm_tis tpm_crb "

With that configuration in place, the initramfs can be (re)built with

dracut -f

After that, a reboot should end up with an automatically unlocked encrypted partition.

tl;dr

If you trust your system firmware and tpm enough, you can set your system up to decrypt automatically without providing a passphrase using systemd-cryptenroll and dracut.

There are also other methods, but this one appears to be the most future proof and easy to set-up and maintain.

Leave a comment