39 lines
1.2 KiB
Markdown
39 lines
1.2 KiB
Markdown
## Luks TPM
|
|
|
|
Loads a LUKS tpm2 key during inital ramdisk to auto decrypt drive under secure conditions
|
|
|
|
### Requirements
|
|
|
|
#### mkinitcpio
|
|
|
|
This setup contains hooks to be used with `mkinitcpio`
|
|
|
|
To setup the hook run `make install` as root and then add the `tpm2` hook before the `encrypt` hook in `/etc/mkinitcpio.conf`
|
|
|
|
#### tpm2-tools
|
|
|
|
Make sure the `tpm2-tools` are installed so keys can be generated and unsealed
|
|
|
|
For arch linux, its as easy as `pacman -S tpm2-tools`
|
|
|
|
### Generating Keys
|
|
|
|
#### Bash variables
|
|
|
|
Before you can run the script make sure the `device`, `slot`, `keyloc`, and `pcr`, variables at the top of the script.
|
|
|
|
- `device` - The block device the LUKS partition is located at
|
|
- `slot` - The key slot that the key will be put in (WARNING this slot will be overwritten if it contains data)
|
|
- `keyloc` - The tpm location the key will be sealed in (default is fine usually)
|
|
- `pcr` - The pcr rules for storing the key (default is fine usually)
|
|
|
|
#### Generation
|
|
|
|
Key generation is automatic with the `gentpm.sh` script
|
|
|
|
Run `make build` as root, this will generate and store the keys, and also rebuild the ramdisk
|
|
|
|
### License
|
|
|
|
This project is licensed under the MIT license
|