Option to enroll luks device for unlock methods (e.g. TPM2) #709
Comments
iFreilicht
added
enhancement
|
Wouldn't it be possible to just use something like this? postCreateHook="systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 /dev/<device>";Or is there some distinct advantage to implementing this feature in disko directly? |
|
It's most a documentation issue I suppose. Having a NixOS option can help with that, but also a template could. |
iFreilicht
added
the
documentation
So far I just used disko for simple partition layouts, but this time I would like to use it to create a luks setup with a fido2 device to unlock it. I have the basics down I guess (using systemd enabled initrd as described in the nixos manual). The only thing that is missing is to have the Do I need to run the hook after the filesystem creation that is using the luks device? Is there maybe an example that shows on what level the hook has to be set? |
I believe the reason for this is just that noone with enough interest in such a feature implemented it yet. I personally don't have a use-case but I am happy to review PRs for that and provide guidance where I can. I wrote the original implementation for zfs and think the one for luks could work almost the same. |
|
@phaer would you be so kind to point me to the src for this? I looked in lib/types/ at all zfs related files but I wasn't able to pinpoint the hook related code. The disko source is a bit puzzling for me tbo. |
It would be useful to have an option for luks devices to enable TPM2 unlock (and maybe others like FIDO2 or PKCS11 too?).
This would be more convenient than running
sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 /dev/<device>after using disko.An error should be thrown if the option is used on a system without TPM2 support.
The text was updated successfully, but these errors were encountered: