[Solved] LUKS+TPM2 unattended boot on Debian 12

[bascule]

I'm attempting to store the LUKS password for LVM encryption/FDE in a TPM2 as part of unattended boot for a server, i.e. allowing a server with a LUKS encrypted root filesystem to boot without a user having to manually enter the password.

Since this seems to always come up, the threats I'm trying to defend against are an attacker removing a hard drive from the server and mounting its filesystem elsewhere, as well as an attacker altering kernel parameters passed from Grub to use e.g. init=/bin/sh. Clearly there are other threats this approach does not defend against which I will simply declare out-of-scope. Also: I'm not particularly interested in e.g. PCR hardening so much as getting anything to work at all.

I'm working with the following TPM2 device:

Code: Select all

# systemd-cryptenroll --tpm2-device=list
PATH        DEVICE      DRIVER
/dev/tpmrm0 MSFT0101:00 tpm_tis

I've attempted a few different methods, all unsuccessfully:

- systemd-cryptenroll
- tpm2-initramfs-tool
- clevis

Of those, systemd-cryptenroll seems it's probably the best approach and one I seem to have partially working, at least. With the `tpm2-tools` package installed I am seemingly able to enroll my LUKS password into my TPM:

Code: Select all

# systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 /dev/sda3
🔐 Please enter current passphrase for disk /dev/sda3: [...]
New TPM2 token enrolled as key slot 1.

So that much seems to work, but what I'm having trouble with is adding TPM support to initramfs and configuring my crypttab to use the TPM.

I've seen a lot of recommendations of dracut for this. I've tried the following:

Code: Select all

apt-get install dracut
dracut --add tpm2-tss -f

I also modified my /etc/crypttab to change the last entry from "luks,discard" to "luks,tpm2-device=auto". I've also tried just "luks,tpm2-device=auto" as well as "luks,discard,tpm2-device=auto" and just "tpm2-device=auto".

With dracut, after grub launches Linux, where it would ordinarily prompt for a password it just sits there with a cursor before dropping to an emergency shell.

I've also tried to add TPM support via initramfs-tools instead, modifying /etc/initramfs-tools/modules to add tpm_tis, and then running update-initramfs -u, but it complains:

Code: Select all

cryptsetup: WARNING: sda3_crypt: ignoring unknown option 'tpm2-device'

I get the same warning when the system boots, followed by a password prompt. This seems relevant: https://groups.google.com/g/linux.debia ... MQ5A?pli=1

Any suggestions?

[bascule]

After posting this, I managed to get things working by this guide which works using dracut and actually removing the entry from /etc/crypttab: https://blog.fernvenue.com/archives/deb ... ecryption/

Still curious if anyone has opinions on this approach or others.

[donald]

After posting this, I managed to get things working by this guide which works using dracut and actually removing the entry from /etc/crypttab: https://blog.fernvenue.com/archives/deb ... ecryption/

Still curious if anyone has opinions on this approach or others.

Your OP was very detailed, could you do the same for the solution rather than just posting a link? I am curious in this as I use a hidden keyfile as I think most others do.

[bascule]

Here are the notes I took for myself from the post.

Note: you'll need to change `sda3` to your respective encrypted volume (according to e.g. lsblk, or checking /etc/crypttab).

1. Install required packages:

Code: Select all

apt install dracut tmp2-tools

2. Store the LUKS password in the TPM using the following command:

Code: Select all

$ systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 /dev/sda3

3. Create a new file /etc/dracut.conf.d/tpm2-tss.conf:

Code: Select all

add_dracutmodules+=" tpm2-tss crypt "

4. Edit /etc/default/grub and change `GRUB_CMDLINE_LINUX` to:

Code: Select all

GRUB_CMDLINE_LINUX="rd.auto rd.luks=1"

5. Edit /etc/crypttab and comment out the line for `sda3_crypt` with a leading `#`.

6: Finally, run:

Code: Select all

$ dracut -f
$ update-grub

Upon reboot, the system should boot automatically without a password prompt.

[Aki]

Hello,

Thanks for sharing your configuration, that's quite interesting.

Please, mark the discussion as "solved" manually adding the text tag "[Solved]" at the beginning of the subject of the first message (after other tags, if any); i.e. :

[Solved] LUKS+TPM2 unattended boot on Debian 12

Happy Debian !

[reddot]

@bascule thanks for sharing. The details you've provided helped me a lot in my own research. I have to add some notes:

1) As of `/etc/crypttab` conflicting entry and system asking for password if it remains. The point is that during initrd stage LUKS devices are populated by dracut. The scripts in dracut assign (mapper device) names to LUKS devices in format "luks-$UUID". Later when boot process switched to systemd it re-evaluates /etc/crypttab file an re-generates systemd units (systemd-cryptsetup@.service) for the entries. Usually on Debian systems a root entry in the crypttab has a (mapper device) name like dm_crypt-0. Hence from systemd point of view it has to shutdown "luks-$UUID" device and bring up another one, "dm_crypt-0". But fails to do that because it's actually a same device. The process results in a bunch of errors on logs and failed systemd-cryptsetup@ units. To fix it just replace "dm_crypt-0" name with "luks-$UUID" name in the /etc/crypttab file. The boot process will go smoothly now with no errors and unnecessary ask password dialog.

Here is an example of crypttab:

Code: Select all

$ cat /etc/crypttab
luks-e2d234f3-b3bc-47fa-b677-de2debd1a330 UUID=e2d234f3-b3bc-47fa-b677-de2debd1a330 none luks,tpm2-device=auto

2) As of current status of Debian testing (trixie): updated version of dracut has been uploaded which brings some improvements to cryptsetup workflow. It's no longer required to use additional kernel command line parameters (rd.auto) and explicit adding of tpm2-tss dracut module. I had to patch inirdname parameter though with entry in /etc/dracut.conf:

Code: Select all

$ cat /etc/dracut.conf
initrdname="initrd.img-${kernel}"

Otherwise, my invocation of dracut on testing is simply:

Code: Select all

# dracut -f