Full Disk Encryption: Difference between revisions

Line 145:

For FIDO2, directly read the [https://github.com/NixOS/nixpkgs/blob/7be68f763d94cdb4c809b7980647828e3274a511/nixos/doc/manual/configuration/luks-file-systems.section.md chapter in the official manual].

~~For TPM~~, ~~replace the crypttab and systemd-cryptsetup option~~ <code>~~fido2-device=auto~~</code> with <code>~~tpm~~-device=~~auto~~</~~code~~> ~~for~~ systemd stage 1. ~~See [https:~~//~~github~~.~~com~~/~~NixOS~~/~~nixpkgs~~/~~blob~~/~~7be68f763d94cdb4c809b7980647828e3274a511~~/~~nixos~~/~~tests~~/~~systemd~~-~~initrd~~-~~luks~~-tpm2.~~nix this integration test~~] ~~in the nixpkgs source code repository~~.

=== TPM2 ===

To store a key on the TPM2 module to unlock the device unattended, check if your <code>configuration.nix</code> has a line similar to the one below (with <code>YOUR-UUID</code> replaced with your device's actual UUID):

{{file|/etc/nixos/configuration.nix|nix|3=

boot.initrd.luks.devices."luks-YOUR-UUID".device = "/dev/disk/by-uuid/YOUR-UUID";

}}

Then this is the device we want to add the crypttab option to. If your configuration does not contain this line, then you can find it through this command:

nixos-option boot.initrd.luks.devices

</syntaxhighlight>

To unlock the device using TPM2, add the following to your configuration to enable systemd stage 1 and to add the tpm2 option to crypttab.

{{file|/etc/nixos/configuration.nix|nix|3=

boot.initrd.systemd.enable = true;

boot.initrd.luks.devices."luks-YOUR-UUID" = {

device = "/dev/disk/by-uuid/YOUR-UUID";

crypttabExtraOpts = [ "tpm2-device=auto" ];

};

}}

Rebuild and reboot before running the following command:

sudo systemd-cryptenroll --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=0 /dev/disk/by-uuid/YOUR-UUID

</syntaxhighlight>

Now the device should unlock without prompting you for the password. After this is working, you can run the above command again and add more PCRs such as <code>--tpm2-pcrs=0+7</code> if your system uses [[Secure Boot]]. A good set of options is <code>--tpm2-pcrs=0+2+7+12</code> and you can find all of them documented at the [https://uapi-group.org/specifications/specs/linux_tpm_pcr_registry/ Linux TPM PCR Registry].

Because the TPM is attached to your computer, it provides no protection against a stolen computer when used on its own (it usually allows for setting a password, but that is it). It can only protect against a stolen drive.

@@ Line 145: / Line 145: @@
 For FIDO2, directly read the [https://github.com/NixOS/nixpkgs/blob/7be68f763d94cdb4c809b7980647828e3274a511/nixos/doc/manual/configuration/luks-file-systems.section.md chapter in the official manual].
-For TPM, replace the crypttab and systemd-cryptsetup option <code>fido2-device=auto</code> with <code>tpm-device=auto</code> for systemd stage 1. See [https://github.com/NixOS/nixpkgs/blob/7be68f763d94cdb4c809b7980647828e3274a511/nixos/tests/systemd-initrd-luks-tpm2.nix this integration test] in the nixpkgs source code repository.
+=== TPM2 ===
+To store a key on the TPM2 module to unlock the device unattended, check if your <code>configuration.nix</code> has a line similar to the one below (with <code>YOUR-UUID</code> replaced with your device's actual UUID):
+{{file|/etc/nixos/configuration.nix|nix|3=
+boot.initrd.luks.devices."luks-YOUR-UUID".device = "/dev/disk/by-uuid/YOUR-UUID";
+}}
+Then this is the device we want to add the crypttab option to. If your configuration does not contain this line, then you can find it through this command:
+<syntaxhighlight lang="sh">
+nixos-option boot.initrd.luks.devices
+</syntaxhighlight>
+To unlock the device using TPM2, add the following to your configuration to enable systemd stage 1 and to add the tpm2 option to crypttab.
+{{file|/etc/nixos/configuration.nix|nix|3=
+boot.initrd.systemd.enable = true;
+boot.initrd.luks.devices."luks-YOUR-UUID" = {
+  device = "/dev/disk/by-uuid/YOUR-UUID";
+  crypttabExtraOpts = [ "tpm2-device=auto" ];
+};
+}}
+Rebuild and reboot before running the following command:
+<syntaxhighlight lang="sh">
+sudo systemd-cryptenroll --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=0 /dev/disk/by-uuid/YOUR-UUID
+</syntaxhighlight>
+Now the device should unlock without prompting you for the password. After this is working, you can run the above command again and add more PCRs such as <code>--tpm2-pcrs=0+7</code> if your system uses [[Secure Boot]]. A good set of options is <code>--tpm2-pcrs=0+2+7+12</code> and you can find all of them documented at the [https://uapi-group.org/specifications/specs/linux_tpm_pcr_registry/ Linux TPM PCR Registry].
 Because the TPM is attached to your computer, it provides no protection against a stolen computer when used on its own (it usually allows for setting a password, but that is it). It can only protect against a stolen drive.