blob: 8a0e4735f60adc962d272a4ec14fcaf4e910a7ff (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
|
## Luks TPM
Loads a LUKS tpm2 key during inital ramdisk to auto decrypt drive under secure conditions
### Requirements
#### mkinitcpio
This setup contains hooks to be used with `mkinitcpio`
To setup the hook run `make install` as root and then add the `tpm2` hook before the `encrypt` hook in `/etc/mkinitcpio.conf`
#### tpm2-tools
Make sure the `tpm2-tools` are installed so keys can be generated and unsealed
For arch linux, its as easy as `pacman -S tpm2-tools`
### Generating Keys
#### Bash variables
Before you can run the script make sure the `device`, `slot`, `keyloc`, and `pcr`, variables at the top of the script.
- `device` - The block device the LUKS partition is located at
- `slot` - The key slot that the key will be put in (WARNING this slot will be overwritten if it contains data)
- `keyloc` - The tpm location the key will be sealed in (default is fine usually)
- `pcr` - The pcr rules for storing the key (default is fine usually)
#### Generation
Key generation is automatic with the `gentpm.sh` script
Run `make build` as root, this will generate and store the keys, and also rebuild the ramdisk
### License
This project is licensed under the MIT license
|
