Adds an automated unlock function based on TPM policy installation
Adds automatic decryption function based on TPM policy configuration
Main Source: https://threat.tevora.com/secure-boot-tpm-2/
setup
automatically pulls out the LUKS and EFI boot partition using blkid and grep. The only input it requires is a cryptsetup
password and a simple yes
. The script supports flags as follows:
cryptsetup
password for automationOnce it finishes the first round, it will try to set up a GRUB menu entry. If the system does not use GRUB, it will continue running after giving a notice. Next, a systemd
file will be added and enabled to run at boot. The tpm2keyunlock.service
file will be installed under /etc/systemd/system and run TPM commands to persist secret in memory. The service will then disable itself after finishing setting up /etc/crypttab
and /usr/local/bin/passphrase-from-tpm
with the appropriate PCR hash method and persistent handle.
The setup of TPM unlocking involves three phases. The first phase installs the TPM tools. The second sets up a TPM-signed kernel and TPM key. The final step verifies the TPM key is working and finishes setting up the TPM kernel.
I created an overview over at https://www.edwardssite.com/cloud-init outlining the details of how to automate the deployment and installation process of this project using cloud-init and Ubuntu's autoinstall settings. Pretty much everything needed is explained there, and reference files are included.
Earlier in the year I received a request to continue developing the project. A lot of progress towards security and automation has been made. The project and its development has been allowed to keep its open source license, so I will leave the project up! As far as development goes, here are the major points:
-l [UUID]
to set the luks drive. A cryptsetup password is needed to add the secret into LUKS, so -p [pass]
along with -y
allows for automated configurations. Only the first setup script takes and needs parameters.There is a lot more coming soon. There is definitely a lot of improvement that can be made, and I am looking forward to it. I am glad you read this far, and thank you for your time!