No description
Find a file
2023-12-09 13:52:20 -05:00
gentpm.sh initial 2023-12-09 13:52:20 -05:00
LICENSE initial 2023-12-09 13:52:20 -05:00
Makefile initial 2023-12-09 13:52:20 -05:00
README.md initial 2023-12-09 13:52:20 -05:00
tpm2_hook initial 2023-12-09 13:52:20 -05:00
tpm2_install initial 2023-12-09 13:52:20 -05:00

Luks TPM

Loads a LUKS tpm2 key during inital ramdisk to auto decrypt drive under secure conditions

Requirements

mkinitcpio

This setup contains hooks to be used with mkinitcpio

To setup the hook run make install as root and then add the tpm2 hook before the encrypt hook in /etc/mkinitcpio.conf

tpm2-tools

Make sure the tpm2-tools are installed so keys can be generated and unsealed

For arch linux, its as easy as pacman -S tpm2-tools

Generating Keys

Bash variables

Before you can run the script make sure the device, slot, keyloc, and pcr, variables at the top of the script.

  • device - The block device the LUKS partition is located at
  • slot - The key slot that the key will be put in (WARNING this slot will be overwritten if it contains data)
  • keyloc - The tpm location the key will be sealed in (default is fine usually)
  • pcr - The pcr rules for storing the key (default is fine usually)

Generation

Key generation is automatic with the gentpm.sh script

Run make build as root, this will generate and store the keys, and also rebuild the ramdisk

License

This project is licensed under the MIT license