services/homelab
1
1
Fork 0
Code Issues 5 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4c0a263d509c08fb4a2ec463c0d79099f46a6be5
homelab/active/software_luks/luks.md

2.3 KiB
Raw Blame History

LUKS

Disk Encryption

Encrypting a Drive

You get 8 key slots total.

# Remember to install if you need it
dnf install cryptsetup

# Create an encryption key
mkdir /etc/luks-keys
chmod 700 /etc/luks-keys
dd if=/dev/urandom bs=128 count=1 of=/etc/luks-keys/data0.key

# Create an encrypted partition
# -q means don't ask for confirmation
# -v means verbose
cryptsetup -q -v luksFormat /dev/nvme6n1p1 /etc/luks-keys/data0.key

# Unlock
cryptsetup -q -v luksOpen --key-file /etc/luks-keys/data0.key /dev/nvme6n1p1 luks-$(cryptsetup luksUUID /dev/nvme6n1p1)

# List keys
cryptsetup luksDump /dev/nvme6n1p1

# Remove a key from a slot
cryptsetup luksKillSlot /dev/nvme6n1p1 2

# Add a new key to a slot
cryptsetup luksAddKey /dev/nvme6n1p1 -S 5

TPM2 Decryption

Mostly taken from here: https://gist.github.com/jdoss/777e8b52c8d88eb87467935769c98a95

PCR reference for --tpm2-pcrs args

0: System firmware executable
2: Kernel
4: Bootloader
7: Secure boot state
8: Cmdline
9: Initrd

Basic commands:

# Show tpm2 devices
systemd-cryptenroll --tpm2-device=list

# Show crypto luks block devices
blkid -t TYPE=crypto_LUKS

# Enroll the tpm2 device with systemd-cryptenroll
systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0,2,4,7,8,9 /dev/nvme0n1p3

# Reenroll
systemd-cryptenroll /dev/nvme0n1p3 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=0,2,4,7,8,9

Note, you'll need to add rd.luks.options=tpm2-device=auto to your kernel parameters.

Batch Operations

# Create encrypted drives in bulk
export LUKS_DEVS="/dev/nvme4n1p1 /dev/nvme3n1p1 /dev/nvme0n1p1 /dev/nvme1n1p4 /dev/nvme2n1p1 /dev/nvme5n1p1"
for luks_drive in $LUKS_DRIVES; do
    cryptsetup -q -v luksFormat /dev/${luks_drive} /etc/luks-keys/data0.key
done

# Unlock encrypted drives in bulk
export LUKS_DEVS="/dev/nvme4n1p1 /dev/nvme3n1p1 /dev/nvme0n1p1 /dev/nvme1n1p4 /dev/nvme2n1p1 /dev/nvme5n1p1"
for luks_drive in $LUKS_DRIVES; do
    cryptsetup -q -v luksOpen --key-file /etc/luks-keys/data0.key /dev/${luks_drive} luks-$(cryptsetup luksUUID /dev/${luks_drive})
done

# Add new keys in bulk
export LUKS_DEVS="/dev/nvme4n1p1 /dev/nvme3n1p1 /dev/nvme0n1p1 /dev/nvme1n1p4 /dev/nvme2n1p1 /dev/nvme5n1p1"
for luks_dev in $LUKS_DEVS; do
    echo Adding key to $luks_dev
    cryptsetup luksAddKey $luks_dev -S 2
done
Reference in New Issue View Git Blame Copy Permalink