LUKS + TPM2 + auto unlock at boot (systemd-cryptenroll)

Question

Please, help me to finish setup LUKS + TPM2 + auto unlock at boot.

I have installed clean Ubuntu 22.04.2 I have encrypted partition in GUI while installing OS. I have installed all updates.

Ubuntu 22.04.2 LTS
5.19.0-43-generic
systemd 249 (249.11-0ubuntu3.9)

I am trying to use this manual: https://wiki.archlinux.org/title/Trusted_Platform_Module#systemd-cryptenroll

I have installed:

tpm2-tools
dracut-core_059-3_amd64.deb
dracut_059-3_all.deb

Next:

sudo dracut --add tpm2-tss
sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 /dev/nvme0n1p3

I have added in /etc/crypttab:

nvme0n1p3_crypt UUID=1fce6364-485c-4524-9c73-7bd4dac5bd32 none luks,discard

System still asking for a passphrase while booting.

I am do not understand what I need to do exactly to auto-unlock LUKS via TPM on boot.

Answer 1

This is what I'm using to allow LUKS decryption using TPM2 in the same Ubuntu 22. Not using systemd-cryptenroll, but clevis. The only 'downside' is that it shows the password prompt at boot, but disappears after getting the key from tpm.

#!/bin/bash
#install needed packages
apt-get -y install clevis clevis-tpm2 clevis-luks clevis-initramfs initramfs-tools tss2
#proceed
echo -n Enter LUKS password:
read -s LUKSKEY
echo ""
clevis luks bind -d /dev/nvme0n1p3 tpm2 '{"pcr_bank":"sha256"}' <<< "$LUKSKEY"
update-initramfs -u -k all
#check
clevis luks list -d /dev/nvme0n1p3
#delete example; -s is one of the slots reported by the previous command
#clevis luks unbind -d /dev/nvme0n1p3 -s 1 tpm2

No need to modify anything else(not even crypttab file).

Update: also tested and working with Ubuntu 24.04 LTS; change device nvme0n1p3 to whatever suits your system.

Update 2: Tested and works on Debian 12 as well.

Answer 2

I see just one issue in your steps in the /etc/crypttab. It is required to add tpm2-device=auto.

Here is the updated file

nvme0n1p3_crypt UUID=1fce6364-485c-4524-9c73-7bd4dac5bd32 none tpm2-device=auto,luks,discard

Once /etc/crypttab updated run dracut -f

If these details won't be enough there is detailed guide with only one major difference comparing to your step. I am not fully sure if dracut_059 compatible with Ubuntu 22.04 since Ubuntu is shipped with 051 release. As a workaround I just added few dracut modules folders into 051 release manually.

01systemd-sysusers
01systemd-udevd
91tpm2-tss

Answer 3

I have installed Ubuntu 24.04 on a workstation with FDE + TPM2 recently. Most information you can find on the internet is about FDE on Fedora, which is based on dracut and systemd-cryptenroll, but it may not work properly for Ubuntu.

Ubuntu has a bug of tpm2-device=auto support, it will throw error when running update-initramfs -u.

And if you try to use dracut -f to workaround the above issue, you may end up with the following error and fail to enter your system!

rning: dracut-initqueue: starting timeout scripts
Warning: dracut-initqueue: still waiting for following initqueue hooks:
Warning: /lib/dracut/hooks/initqueue/finished/devexists-\x2fdev\x2fmapper\x2fubuntu--vg-ubuntu--lv.sh: (cut for brevity)

That's what happen in my case, you should be careful with dracut on Ubuntu.

The final solution I find is to give up systemd-cryptenroll and use tpm2-initramfs-tool instead. The below is the setup script based on the official doc. And it works well on my device.

sudo apt-get update
sudo apt-get install -y tpm2-initramfs-tool
sudo tpm2-initramfs-tool seal --data "$FDE_PASS"
edit /etc/crypttab, change "none" to "unseal", append keyscript=/usr/bin/tpm2-initramfs-tool
sudo sed -i -e 's#none#unseal#' /etc/crypttab
sudo sed -i -e 's#luks#luks,keyscript=/usr/bin/tpm2-initramfs-tool#' /etc/crypttab
Add binaries and libraries to initramfs
cat << EOF | sudo tee /etc/initramfs-tools/hooks/tpm2-initramfs-tool
. /usr/share/initramfs-tools/hook-functions
copy_exec /usr/lib/x86_64-linux-gnu/libtss2-tcti-device.so.0
copy_exec /usr/bin/tpm2-initramfs-tool
EOF
sudo chmod 755 /etc/initramfs-tools/hooks/tpm2-initramfs-tool
sudo update-initramfs -u

Answer 4

The best option seems to be dracut with a little configuration. While clevis works, it is not as clean or easy to use as systemd-cryptenroll. Apart from adding tpm2-device=auto to /etc/crypttab, also add the following to dracut configuration (e.g. create /etc/dracut.conf.d/tpm2.conf):

hostonly="yes"
add_dracutmodules+=" tpm2-tss "

As others have noted tpm2-device=auto does not work with initramfs-tools that is used by default in Ubuntu, and dracut will likely replace initramfs-tools by Ubuntu 25.10 release in any case.

The full set of steps are below which have been tested on a fresh install of Ubuntu 24.04 where LVM+encryption was chosen during install.

1. First install dracut and tpm2-tools

sudo apt install dracut tpm2-tools --autoremove --purge

This will also remove initramfs-tools and some dependent packages (including brltty that depends on initramfs-tools for some reason).

2. Enroll TPM2 with the LUKS partition

Create a script tpm2-luks-enroll.sh with the contents below and make it executable (chmod +x tpm2-luks-enroll.sh). This will be used for first enroll as well as for re-enrolling after any change in system configuration that causes TPM2 to reject the key fetch.

#!/bin/sh -e
LUKS_DEV=/dev/disk/by-uuid/506d04fe-ef0b-4554-8797-57f10dc9d0d8
sudo systemd-cryptenroll --wipe-slot=tpm2 $LUKS_DEV
sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs="1+7+8+11+14:sha256" --tpm2-with-pin=true "$@" $LUKS_DEV

Use the required LUKS partition for LUKS_DEV above, or just change the UUID above to the one in your /etc/crypttab.

Here I am using some additional PCRs. The systemd-cryptenroll man page recommends 7, 11, 14 which cover most cases. Check their meaning and adjust accordingly but don't add too many which can be counter productive where TPM2 has to be re-enrolled after every little system change. For example, one can add 9 above to detect an evil maid attack tampering with initrd but that will mean re-enrolling in the next boot after every dracut run. On the other hand, remove 8 if someone running grub with changed kernel command-line is not a concern for you.

TPM2 pin is also enabled so that it is better protected in case of theft etc, but it (--tpm2-with-pin=true) can be removed to enable full auto unlock if such cases are not a concern. This pin can be shorter than what a LUKS password should be, since TPM2 will lock up pretty quick in case of repeated failures.

Run this script and it will enroll TPM2 with the LUKS partition asking for existing password and then the desired PIN (if enabled).

3. Lastly update crypttab and add dracut configuration as noted at the start

The /etc/crypttab for above example after the change can look like this:

dm_crypt-0   UUID=506d04fe-ef0b-4554-8797-57f10dc9d0d8   none   luks,tpm2-device=auto,discard,no-read-workqueue,no-write-workqueue

The last three options give better performance for SSDs -- check the security implication of discard before adding it, but other two should always be better for SSDs with no down sides.

Add /etc/dracut.conf.d/tpm2.conf as noted at the start, then run dracut -f which should generate the initrd that should include output about LUKS additions towards the end.

On reboot, it will ask for the PIN (if enabled) but will fail the first time due to the first dracut run, so you will need to enter password the first time. Removing 8 from PCRs should avoid it, so check if you need it. Run tpm2-luks-enroll.sh again and TPM2 should work next time onwards in either case.