# LUKS

Disk Encryption

## Encrypting a Drive

You get 8 key slots total.

```bash
# Remember to install if you need it
dnf install cryptsetup

# Create an encryption key
mkdir /etc/luks-keys
chmod 700 /etc/luks-keys
dd if=/dev/urandom bs=128 count=1 of=/etc/luks-keys/data0.key

# Create an encrypted partition
# -q means don't ask for confirmation
# -v means verbose
cryptsetup -q -v luksFormat /dev/nvme6n1p1 /etc/luks-keys/data0.key

# Unlock
cryptsetup -q -v luksOpen --key-file /etc/luks-keys/data0.key /dev/nvme6n1p1 luks-$(cryptsetup luksUUID /dev/nvme6n1p1)

# List keys
cryptsetup luksDump /dev/nvme6n1p1

# Remove a key from a slot
cryptsetup luksKillSlot /dev/nvme6n1p1 2

# Add a new key to a slot
cryptsetup luksAddKey /dev/nvme6n1p1 -S 5
```

## TPM2 Decryption

Mostly taken from here:
<https://gist.github.com/jdoss/777e8b52c8d88eb87467935769c98a95>

PCR reference for `--tpm2-pcrs` args

```text
0: System firmware executable
2: Kernel
4: Bootloader
7: Secure boot state
8: Cmdline
9: Initrd
```

Basic commands:

```bash
# Show tpm2 devices
systemd-cryptenroll --tpm2-device=list

# Show crypto luks block devices
blkid -t TYPE=crypto_LUKS

# Enroll the tpm2 device with systemd-cryptenroll
systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0,2,4,7,8,9 /dev/nvme0n1p3

# Reenroll
systemd-cryptenroll /dev/nvme0n1p3 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=0,2,4,7,8,9
```

Note, you'll need to add `rd.luks.options=tpm2-device=auto` to your kernel parameters.

## Batch Operations

```bash
# Create encrypted drives in bulk
export LUKS_DEVS="/dev/nvme4n1p1 /dev/nvme3n1p1 /dev/nvme0n1p1 /dev/nvme1n1p4 /dev/nvme2n1p1 /dev/nvme5n1p1"
for luks_drive in $LUKS_DRIVES; do
    cryptsetup -q -v luksFormat /dev/${luks_drive} /etc/luks-keys/data0.key
done

# Unlock encrypted drives in bulk
export LUKS_DEVS="/dev/nvme4n1p1 /dev/nvme3n1p1 /dev/nvme0n1p1 /dev/nvme1n1p4 /dev/nvme2n1p1 /dev/nvme5n1p1"
for luks_drive in $LUKS_DRIVES; do
    cryptsetup -q -v luksOpen --key-file /etc/luks-keys/data0.key /dev/${luks_drive} luks-$(cryptsetup luksUUID /dev/${luks_drive})
done

# Add new keys in bulk
export LUKS_DEVS="/dev/nvme4n1p1 /dev/nvme3n1p1 /dev/nvme0n1p1 /dev/nvme1n1p4 /dev/nvme2n1p1 /dev/nvme5n1p1"
for luks_dev in $LUKS_DEVS; do
    echo Adding key to $luks_dev
    cryptsetup luksAddKey $luks_dev -S 2
done
```