| Branch | Commit message | Author | Age | |
|---|---|---|---|---|
| main | better error handeling in hooks | Freya Murphy | 21 months | |
| Age | Commit message | Author | Files | Lines |
| 2023-12-10 | better error handeling in hooksHEADmain | Freya Murphy | 2 | -31/+65 |
| 2023-12-09 | verify signature at runtime not gentime | Freya Murphy | 3 | -12/+16 |
| 2023-12-09 | initial | Freya Murphy | 6 | -0/+320 |
| Clone | ||||
| https://g.freya.cat/luks-tpm | ||||
| git@git.in.freya.cat:luks-tpm | ||||
 |
index : luks-tpm | |
| summaryrefslogtreecommitdiff |
Luks TPM
Loads a LUKS tpm2 key during inital ramdisk to auto decrypt drive under secure conditions
Requirements
mkinitcpio
This setup contains hooks to be used with mkinitcpio
To setup the hook run make install as root and then add the tpm2 hook before the encrypt hook in /etc/mkinitcpio.conf
tpm2-tools
Make sure the tpm2-tools are installed so keys can be generated and unsealed
For arch linux, its as easy as pacman -S tpm2-tools
Generating Keys
Bash variables
Before you can run the script make sure the device, slot, keyloc, and pcr, variables at the top of the script.
device- The block device the LUKS partition is located atslot- The key slot that the key will be put in (WARNING this slot will be overwritten if it contains data)keyloc- The tpm location the key will be sealed in (default is fine usually)pcr- The pcr rules for storing the key (default is fine usually)
Generation
Key generation is automatic with the gentpm.sh script
Run make build as root, this will generate and store the keys, and also rebuild the ramdisk
License
This project is licensed under the MIT license