Go to file
2023-12-10 01:30:13 -05:00
gentpm.sh better error handeling in hooks 2023-12-10 01:30:13 -05:00
LICENSE initial 2023-12-09 13:52:20 -05:00
Makefile initial 2023-12-09 13:52:20 -05:00
README.md initial 2023-12-09 13:52:20 -05:00
tpm2_hook better error handeling in hooks 2023-12-10 01:30:13 -05:00
tpm2_install verify signature at runtime not gentime 2023-12-09 14:24:58 -05:00

Luks TPM

Loads a LUKS tpm2 key during inital ramdisk to auto decrypt drive under secure conditions



This setup contains hooks to be used with mkinitcpio

To setup the hook run make install as root and then add the tpm2 hook before the encrypt hook in /etc/mkinitcpio.conf


Make sure the tpm2-tools are installed so keys can be generated and unsealed

For arch linux, its as easy as pacman -S tpm2-tools

Generating Keys

Bash variables

Before you can run the script make sure the device, slot, keyloc, and pcr, variables at the top of the script.

  • device - The block device the LUKS partition is located at
  • slot - The key slot that the key will be put in (WARNING this slot will be overwritten if it contains data)
  • keyloc - The tpm location the key will be sealed in (default is fine usually)
  • pcr - The pcr rules for storing the key (default is fine usually)


Key generation is automatic with the gentpm.sh script

Run make build as root, this will generate and store the keys, and also rebuild the ramdisk


This project is licensed under the MIT license