Skip to content
/ arch-mkinitcpio-clevis-hook Public

A simple hook to unlock LUKS devices on boot with clevis and TPM on arch linux.

License

GPL-3.0 license
11 stars 4 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

kishorviswanathan/arch-mkinitcpio-clevis-hook

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

22 Commits
hooks
hooks
 
 
install
install
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
install.sh
install.sh
 
 

Repository files navigation

Introduction

Update: Starting with systemd version 248, TPM2 unlock support is built-in and it is much faster than clevis. Follow this guide to get it working.

Update 2: Do not attempt to use the systemd version of TPM2 unlock if you don't use systemd.

A simple hook to unlock LUKS devices on boot using TPM and clevis.

Tested Systems:

  • Manjaro Linux 20.2.1 with systemd-boot and mkinitcpio.
  • Artix Linux OpenRC (Linux 5.17.4-artix1-1) with grub and mkinitcpio.
  • Arch Linux (Linux 5.17.4.arch1-1) with grub and mkinitcpio.

Installing

AUR Method

  1. Install the mkinitcpio-clevis-hook package from the AUR (this installs all dependencies, as well as the hook).

  2. Add clevis binding to your LUKS device.

    sudo clevis luks bind -d <device> tpm2 '{"pcr_ids":"0,1,2,3,4,5,6,7"}'

  3. Enable the clevis hook.

    sudo vim /etc/mkinitcpio.conf
# Edit the hooks and add clevis before the 'encrypt' hook. Eg:
# HOOKS=(.. clevis encrypt ..)

    Note: If you are using plymouth, replace the plymouth-encrypt hook with encrypt. plymouth-encrypt is reported to be buggy when the device is already unlocked. More info.

  4. Generate initramfs image.

    sudo mkinitcpio -P

  5. Reboot.

Manual Method

  1. Install the following packages.

    sudo pacman --needed -S clevis tpm2-tools luksmeta libpwquality

  2. Add clevis binding to your LUKS device.

    sudo clevis luks bind -d <device> tpm2 '{"pcr_ids":"0,1,2,3,4,5,6,7"}'

  3. Install the clevis hook.

    sudo ./install.sh
sudo vim /etc/mkinitcpio.conf
# Edit the hooks and add clevis before the 'encrypt' hook. Eg:
# HOOKS=(.. clevis encrypt ..)

    Note: If you are using plymouth, replace the plymouth-encrypt hook with encrypt. plymouth-encrypt is reported to be buggy when the device is already unlocked. More info.

  4. Generate initramfs image.

    sudo mkinitcpio -P

  5. Reboot.

Updating

If you have updated any of the settings in BIOS, changed anything in the kernel options, you have to recreate the clevis binding as TPM will not be able to unlock the device.

sudo clevis luks unbind -d <device> -s <slot-id>
sudo clevis luks bind -d <device> tpm2 '{"pcr_ids":"0,1,2,3,4,5,6,7"}'

NOTE: slot-id is normally 1, but this can be checked by running sudo cryptsetup luksDump <encrypted device>

Troubleshooting

Usually unlocking fails only when any of the TPM registers were updated as part of a system configuration change. Try rebooting the system and re adding the clevis LUKS binding. In most cases this should fix the issue. Feel free to create an issue if your problem is not resolved.

Credits

Forked from arch-clevis by Andrei Costescu. I just simplified, fixed some bugs & added a clear readme, and @SimPilotAdamT just adapted it so this can be used in the AUR for easier install and uninstall.

About

A simple hook to unlock LUKS devices on boot with clevis and TPM on arch linux.

Resources

Readme

License

GPL-3.0 license
Activity

Stars

11 stars

Watchers

2 watching

Forks

4 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages