8

Please, help me to finish setup LUKS + TPM2 + auto unlock at boot.

I have installed clean Ubuntu 22.04.2 I have encrypted partition in GUI while installing OS. I have installed all updates.

Ubuntu 22.04.2 LTS
5.19.0-43-generic
systemd 249 (249.11-0ubuntu3.9)

I am trying to use this manual: https://wiki.archlinux.org/title/Trusted_Platform_Module#systemd-cryptenroll

I have installed:

tpm2-tools
dracut-core_059-3_amd64.deb
dracut_059-3_all.deb

Next:

sudo dracut --add tpm2-tss
sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 /dev/nvme0n1p3

I have added in /etc/crypttab:

nvme0n1p3_crypt UUID=1fce6364-485c-4524-9c73-7bd4dac5bd32 none luks,discard

System still asking for a passphrase while booting.

I am do not understand what I need to do exactly to auto-unlock LUKS via TPM on boot.

Vasiliy
  • 81

4 Answers4

12

This is what I'm using to allow LUKS decryption using TPM2 in the same Ubuntu 22. Not using systemd-cryptenroll, but clevis. The only 'downside' is that it shows the password prompt at boot, but disappears after getting the key from tpm.

#!/bin/bash


#install needed packages
apt-get -y install clevis clevis-tpm2 clevis-luks clevis-initramfs initramfs-tools tss2


#proceed
echo -n Enter LUKS password:
read -s LUKSKEY
echo ""


clevis luks bind -d /dev/nvme0n1p3 tpm2 '{"pcr_bank":"sha256"}' <<< "$LUKSKEY"


update-initramfs -u -k all


#check
clevis luks list -d /dev/nvme0n1p3


#delete example; -s is one of the slots reported by the previous command
#clevis luks unbind -d /dev/nvme0n1p3 -s 1 tpm2

No need to modify anything else(not even crypttab file).

Update: also tested and working with Ubuntu 24.04 LTS; change device nvme0n1p3 to whatever suits your system.

Update 2: Tested and works on Debian 12 as well.

Don Kirkby
  • 1,499
Ionel P
  • 121
  • Thank you! I will try it. I have tried to use "build-in" (systems) to unlock LUKS. – Vasiliy Jun 29 '23 at 11:34
  • Thank God for you! This information was so convoluted to find, and this was so succinct and easy, and worked! – blisstdev Aug 29 '23 at 04:36
  • I was worried about the device name /dev/nvme0n1p3 being hard coded but on my fresh install I had the exact same disk so it worked without modification. – Chris Magnuson Mar 14 '24 at 02:16
  • I had been looking a lot and tested a dozen tools and ways. So I got the result after the final chance. Thank you so much for your answer. – Mehrdad Qasemkhani Sep 02 '24 at 17:27
  • Used these instructions again with 24.04 and after enabling the tpm from the bios everything worked perfectly, thanks again! – Chris Magnuson Sep 17 '24 at 00:58
  • 2
    I keep coming back to this for setting up new computers, today I found out that this approach does not protect the key stored in the TPM with any "PCR". As such, someone booting a Live USB on this system will be able to obtain the key from the TPM and decrypt the partition.

    I can only say this after testing on my own system. Simply adding "pcr_ids": [4,7,11] to the json string made it difficult enough to keep myself out, but I do not have the knowledge to say this is actually the safest approach.

     – sebgiles Jan 13 '25 at 20:12
  • Just wondering how we can determine which volume you should be binding (for example I've got /dev/nvme0n1p2 at /boot, and /dev/mapper/vgubuntu-root at /. (Ubuntu 22.04 using LVM and full disk encryption). – tdpu Jul 30 '25 at 22:07
  • You need to bind the encrypted partition that you want to unlock. If you lsblk you will see an entry of TYPE crypt. This is the "decrypted" partition, its parent should be the one that you bind. – sebgiles Aug 07 '25 at 16:23
2

I see just one issue in your steps in the /etc/crypttab. It is required to add tpm2-device=auto.

Here is the updated file

nvme0n1p3_crypt UUID=1fce6364-485c-4524-9c73-7bd4dac5bd32 none tpm2-device=auto,luks,discard

Once /etc/crypttab updated run dracut -f

If these details won't be enough there is detailed guide with only one major difference comparing to your step. I am not fully sure if dracut_059 compatible with Ubuntu 22.04 since Ubuntu is shipped with 051 release. As a workaround I just added few dracut modules folders into 051 release manually.

01systemd-sysusers
01systemd-udevd
91tpm2-tss
Kiryl
  • 121
1

I have installed Ubuntu 24.04 on a workstation with FDE + TPM2 recently. Most information you can find on the internet is about FDE on Fedora, which is based on dracut and systemd-cryptenroll, but it may not work properly for Ubuntu.

Ubuntu has a bug of tpm2-device=auto support, it will throw error when running update-initramfs -u.

And if you try to use dracut -f to workaround the above issue, you may end up with the following error and fail to enter your system!

rning: dracut-initqueue: starting timeout scripts
Warning: dracut-initqueue: still waiting for following initqueue hooks:
Warning: /lib/dracut/hooks/initqueue/finished/devexists-\x2fdev\x2fmapper\x2fubuntu--vg-ubuntu--lv.sh: (cut for brevity)

That's what happen in my case, you should be careful with dracut on Ubuntu.

The final solution I find is to give up systemd-cryptenroll and use tpm2-initramfs-tool instead. The below is the setup script based on the official doc. And it works well on my device.

sudo apt-get update
sudo apt-get install -y tpm2-initramfs-tool
sudo tpm2-initramfs-tool seal --data "$FDE_PASS"


edit /etc/crypttab, change "none" to "unseal", append keyscript=/usr/bin/tpm2-initramfs-tool


sudo sed -i -e 's#none#unseal#' /etc/crypttab
sudo sed -i -e 's#luks#luks,keyscript=/usr/bin/tpm2-initramfs-tool#' /etc/crypttab


Add binaries and libraries to initramfs


cat << EOF | sudo tee /etc/initramfs-tools/hooks/tpm2-initramfs-tool
. /usr/share/initramfs-tools/hook-functions


copy_exec /usr/lib/x86_64-linux-gnu/libtss2-tcti-device.so.0
copy_exec /usr/bin/tpm2-initramfs-tool
EOF


sudo chmod 755 /etc/initramfs-tools/hooks/tpm2-initramfs-tool
sudo update-initramfs -u
link89
  • 111
0

The best option seems to be dracut with a little configuration. While clevis works, it is not as clean or easy to use as systemd-cryptenroll. Apart from adding tpm2-device=auto to /etc/crypttab, also add the following to dracut configuration (e.g. create /etc/dracut.conf.d/tpm2.conf):

hostonly="yes"
add_dracutmodules+=" tpm2-tss "

As others have noted tpm2-device=auto does not work with initramfs-tools that is used by default in Ubuntu, and dracut will likely replace initramfs-tools by Ubuntu 25.10 release in any case.

The full set of steps are below which have been tested on a fresh install of Ubuntu 24.04 where LVM+encryption was chosen during install.

  1. First install dracut and tpm2-tools
sudo apt install dracut tpm2-tools --autoremove --purge

This will also remove initramfs-tools and some dependent packages (including brltty that depends on initramfs-tools for some reason).

  1. Enroll TPM2 with the LUKS partition

Create a script tpm2-luks-enroll.sh with the contents below and make it executable (chmod +x tpm2-luks-enroll.sh). This will be used for first enroll as well as for re-enrolling after any change in system configuration that causes TPM2 to reject the key fetch.

#!/bin/sh -e


LUKS_DEV=/dev/disk/by-uuid/506d04fe-ef0b-4554-8797-57f10dc9d0d8
sudo systemd-cryptenroll --wipe-slot=tpm2 $LUKS_DEV
sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs="1+7+8+11+14:sha256" --tpm2-with-pin=true "$@" $LUKS_DEV

Use the required LUKS partition for LUKS_DEV above, or just change the UUID above to the one in your /etc/crypttab.

Here I am using some additional PCRs. The systemd-cryptenroll man page recommends 7, 11, 14 which cover most cases. Check their meaning and adjust accordingly but don't add too many which can be counter productive where TPM2 has to be re-enrolled after every little system change. For example, one can add 9 above to detect an evil maid attack tampering with initrd but that will mean re-enrolling in the next boot after every dracut run. On the other hand, remove 8 if someone running grub with changed kernel command-line is not a concern for you.

TPM2 pin is also enabled so that it is better protected in case of theft etc, but it (--tpm2-with-pin=true) can be removed to enable full auto unlock if such cases are not a concern. This pin can be shorter than what a LUKS password should be, since TPM2 will lock up pretty quick in case of repeated failures.

Run this script and it will enroll TPM2 with the LUKS partition asking for existing password and then the desired PIN (if enabled).

  1. Lastly update crypttab and add dracut configuration as noted at the start

The /etc/crypttab for above example after the change can look like this:

dm_crypt-0   UUID=506d04fe-ef0b-4554-8797-57f10dc9d0d8   none   luks,tpm2-device=auto,discard,no-read-workqueue,no-write-workqueue

The last three options give better performance for SSDs -- check the security implication of discard before adding it, but other two should always be better for SSDs with no down sides.

Add /etc/dracut.conf.d/tpm2.conf as noted at the start, then run dracut -f which should generate the initrd that should include output about LUKS additions towards the end.

On reboot, it will ask for the PIN (if enabled) but will fail the first time due to the first dracut run, so you will need to enter password the first time. Removing 8 from PCRs should avoid it, so check if you need it. Run tpm2-luks-enroll.sh again and TPM2 should work next time onwards in either case.

sumwale
  • 576
  • 1
  • 4
  • 8
  • Thank you! Please tell, how you managed to "install of Ubuntu 24.04 where LVM+encryption was chosen during install".? In the new GUI installer I do not see options to create "partition for encryption". – Vasiliy Apr 07 '25 at 05:24
  • @Vasiliy Are you using the standard ubuntu installer or some flavor like kubuntu/xubuntu? In the standard installer when you reach the partitioning screen (How do you want to install Ubuntu?), in the first "Erase disk and install Ubuntu" option, clicking on "Advanced features" has the option of LVM+encryption. – sumwale Apr 07 '25 at 07:52
  • @Vasiliy If you can't use "Erase disk ..." rather have to do manual partitioning, then it will need some setup from terminal. A good guide is: https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system#LVM_on_LUKS. I can help provide some hints if you tell your setup (e.g. dual booting or something else), and what you expect/need from encryption. – sumwale Apr 07 '25 at 08:09
  • Yes, I am using a standard installer from Ubuntu. And yes, sometimes I can not use "erase disk" because I need to make dual boot. I will check your suggestions. Thank you. – Vasiliy Apr 08 '25 at 08:08
  • @Vasiliy Unfortunately the new desktop installer will not recognize LUKS/LVM partitions if you manually create them separately. – sumwale Apr 08 '25 at 09:27
  • 1
    @Vasiliy in the Ubuntu ecosystem, the best bet now is to use the ubuntu-server 24.04 installer if you are ok with text mode installer. Its partitioner can create LVM/LUKS easily in manual partitioning mode. Then you can switch to desktop using: sudo apt install ubuntu-desktop lvm2 cryptsetup ubuntu-server- ubuntu-server-minimal- --autoremove --purge.

    Also disable systemd-networkd since desktop uses NetworkManager: sudo systemctl disable systemd-networkd. Lastly you can add "quiet splash" to GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub to have the desktop splash screen.

     – sumwale Apr 08 '25 at 09:31
  • Thank you for this knowledge. – Vasiliy Apr 09 '25 at 10:05
  • It seems like there is a hack to getting the standard Ubuntu installer do encrypted LVM even in side-by-side install. Select Entire disk -> advanced options -> LVM+encryption, then select side-by-side. See: https://youtu.be/ZmZYrBPVRVQ?si=owFUjP1O5TL5YCnJ

    However, this does not work with bitlocker encrypted drive and one cannot customize the partitions. I recorded a quick raw video for doing it using server iso, then switch to desktop and enable TPM2 unlock: https://youtu.be/qyJCr7X95CM . This is my first video so quality may not be good.

     – sumwale Apr 10 '25 at 01:49