services/homelab
1
1
Fork 0
Code Issues 5 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
70259d9542d924b94ed941c9280f84ada459781e
homelab/active/software_luks/luks.md

91 lines
2.3 KiB
Markdown
Raw Blame History

# LUKS
Disk Encryption
## Encrypting a Drive
You get 8 key slots total.
```bash
# Remember to install if you need it
dnf install cryptsetup
# Create an encryption key
mkdir /etc/luks-keys
chmod 700 /etc/luks-keys
dd if=/dev/urandom bs=128 count=1 of=/etc/luks-keys/data0.key
# Create an encrypted partition
# -q means don't ask for confirmation
# -v means verbose
cryptsetup -q -v luksFormat /dev/nvme6n1p1 /etc/luks-keys/data0.key
# Unlock
cryptsetup -q -v luksOpen --key-file /etc/luks-keys/data0.key /dev/nvme6n1p1 luks-$(cryptsetup luksUUID /dev/nvme6n1p1)
# List keys
cryptsetup luksDump /dev/nvme6n1p1
# Remove a key from a slot
cryptsetup luksKillSlot /dev/nvme6n1p1 2
# Add a new key to a slot
cryptsetup luksAddKey /dev/nvme6n1p1 -S 5
```
## TPM2 Decryption
Mostly taken from here:
<https://gist.github.com/jdoss/777e8b52c8d88eb87467935769c98a95>
PCR reference for `--tpm2-pcrs` args
```text
0: System firmware executable
2: Kernel
4: Bootloader
7: Secure boot state
8: Cmdline
9: Initrd
```
Basic commands:
```bash
# Show tpm2 devices
systemd-cryptenroll --tpm2-device=list
# Show crypto luks block devices
blkid -t TYPE=crypto_LUKS
# Enroll the tpm2 device with systemd-cryptenroll
systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0,2,4,7,8,9 /dev/nvme0n1p3
# Reenroll
systemd-cryptenroll /dev/nvme0n1p3 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=0,2,4,7,8,9
```
Note, you'll need to add `rd.luks.options=tpm2-device=auto` to your kernel parameters.
## Batch Operations
```bash
# Create encrypted drives in bulk
export LUKS_DEVS="/dev/nvme4n1p1 /dev/nvme3n1p1 /dev/nvme0n1p1 /dev/nvme1n1p4 /dev/nvme2n1p1 /dev/nvme5n1p1"
for luks_drive in $LUKS_DRIVES; do
cryptsetup -q -v luksFormat /dev/${luks_drive} /etc/luks-keys/data0.key
done
# Unlock encrypted drives in bulk
export LUKS_DEVS="/dev/nvme4n1p1 /dev/nvme3n1p1 /dev/nvme0n1p1 /dev/nvme1n1p4 /dev/nvme2n1p1 /dev/nvme5n1p1"
for luks_drive in $LUKS_DRIVES; do
cryptsetup -q -v luksOpen --key-file /etc/luks-keys/data0.key /dev/${luks_drive} luks-$(cryptsetup luksUUID /dev/${luks_drive})
done
# Add new keys in bulk
export LUKS_DEVS="/dev/nvme4n1p1 /dev/nvme3n1p1 /dev/nvme0n1p1 /dev/nvme1n1p4 /dev/nvme2n1p1 /dev/nvme5n1p1"
for luks_dev in $LUKS_DEVS; do
echo Adding key to $luks_dev
cryptsetup luksAddKey $luks_dev -S 2
done
```
Reference in New Issue View Git Blame Copy Permalink