[Solved] LUKS+TPM2 unattended boot on Debian 12

[bascule]

I'm attempting to store the LUKS password for LVM encryption/FDE in a TPM2 as part of unattended boot for a server, i.e. allowing a server with a LUKS encrypted root filesystem to boot without a user having to manually enter the password.

Since this seems to always come up, the threats I'm trying to defend against are an attacker removing a hard drive from the server and mounting its filesystem elsewhere, as well as an attacker altering kernel parameters passed from Grub to use e.g. init=/bin/sh. Clearly there are other threats this approach does not defend against which I will simply declare out-of-scope. Also: I'm not particularly interested in e.g. PCR hardening so much as getting anything to work at all.

I'm working with the following TPM2 device:

Code: Select all

# systemd-cryptenroll --tpm2-device=list
PATH        DEVICE      DRIVER
/dev/tpmrm0 MSFT0101:00 tpm_tis

I've attempted a few different methods, all unsuccessfully:

- systemd-cryptenroll
- tpm2-initramfs-tool
- clevis

Of those, systemd-cryptenroll seems it's probably the best approach and one I seem to have partially working, at least. With the `tpm2-tools` package installed I am seemingly able to enroll my LUKS password into my TPM:

Code: Select all

# systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 /dev/sda3
🔐 Please enter current passphrase for disk /dev/sda3: [...]
New TPM2 token enrolled as key slot 1.

So that much seems to work, but what I'm having trouble with is adding TPM support to initramfs and configuring my crypttab to use the TPM.

I've seen a lot of recommendations of dracut for this. I've tried the following:

Code: Select all

apt-get install dracut
dracut --add tpm2-tss -f

I also modified my /etc/crypttab to change the last entry from "luks,discard" to "luks,tpm2-device=auto". I've also tried just "luks,tpm2-device=auto" as well as "luks,discard,tpm2-device=auto" and just "tpm2-device=auto".

With dracut, after grub launches Linux, where it would ordinarily prompt for a password it just sits there with a cursor before dropping to an emergency shell.

I've also tried to add TPM support via initramfs-tools instead, modifying /etc/initramfs-tools/modules to add tpm_tis, and then running update-initramfs -u, but it complains:

Code: Select all

cryptsetup: WARNING: sda3_crypt: ignoring unknown option 'tpm2-device'

I get the same warning when the system boots, followed by a password prompt. This seems relevant: https://groups.google.com/g/linux.debia ... MQ5A?pli=1

Any suggestions?

[bascule]

After posting this, I managed to get things working by this guide which works using dracut and actually removing the entry from /etc/crypttab: https://blog.fernvenue.com/archives/deb ... ecryption/

Still curious if anyone has opinions on this approach or others.

[donald]

After posting this, I managed to get things working by this guide which works using dracut and actually removing the entry from /etc/crypttab: https://blog.fernvenue.com/archives/deb ... ecryption/

Still curious if anyone has opinions on this approach or others.

Your OP was very detailed, could you do the same for the solution rather than just posting a link? I am curious in this as I use a hidden keyfile as I think most others do.

[bascule]

Here are the notes I took for myself from the post.

Note: you'll need to change `sda3` to your respective encrypted volume (according to e.g. lsblk, or checking /etc/crypttab).

1. Install required packages:

Code: Select all

apt install dracut tmp2-tools

2. Store the LUKS password in the TPM using the following command:

Code: Select all

$ systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 /dev/sda3

3. Create a new file /etc/dracut.conf.d/tpm2-tss.conf:

Code: Select all

add_dracutmodules+=" tpm2-tss crypt "

4. Edit /etc/default/grub and change `GRUB_CMDLINE_LINUX` to:

Code: Select all

GRUB_CMDLINE_LINUX="rd.auto rd.luks=1"

5. Edit /etc/crypttab and comment out the line for `sda3_crypt` with a leading `#`.

6: Finally, run:

Code: Select all

$ dracut -f
$ update-grub

Upon reboot, the system should boot automatically without a password prompt.

[Aki]

Hello,

Thanks for sharing your configuration, that's quite interesting.

Please, mark the discussion as "solved" manually adding the text tag "[Solved]" at the beginning of the subject of the first message (after other tags, if any); i.e. :

[Solved] LUKS+TPM2 unattended boot on Debian 12

Happy Debian !