5

I am currently aware of two recent methods to bind a LUKS encrypted root partition to a TPM2: systemd-cryptenroll and clevis. Both of them seem to release the encryption key after successfully checking the PCRs the key was sealed against.

But I don't like the idea of the volume being decrypted without user interaction. I'd rather have a solution like it is offered by BitLocker for Windows: Either TPM and an additional PIN or a recovery key.

Even though I searched the web quite exhaustively I was not able to find any hints in this direction. Is anybody aware of a solution?

EDIT: There is a --recovery-key option for systemd-cryptenroll. I'm only concerned with the question how to get an additional PIN requirement when using the TPM.

Improve this question

2 Answers 2

Reset to default
8

2022-05-21 - systemd v251

Support for TPM2 + PIN has been merged in systemd-cryptenroll and is available as part of release v251.

Changes in disk encryption:

  • systemd-cryptenroll can now control whether to require the user to enter a PIN when using TPM-based unlocking of a volume via the new --tpm2-with-pin= option.

    Option tpm2-pin= can be used in /etc/crypttab.

Source

Improve this answer
4
  • 2
    I recently tried it and it works like a charm. Thanks! Commented Sep 14, 2022 at 13:57
  • Is the pin specified directly in the tpm2-pin= option? Commented Jun 29 at 17:09
  • @horsey_guy I don't quite understand your question. the crypttab parameter tpm2-pin is an alternative way to set the boolean flag of whether the TPM2 volume unlocking is bound to a PIN or not. If you check the crypttab man page it should be clear. Basically, tpm2-pin could be manually specified in /etc/crypttab if for some reason you did not use systemd-cryptenroll and there for the special JSON formatted metadata is missing from the LUKS header Commented Jul 15 at 2:23
  • That makes sense now. Commented Jul 15 at 2:26
2

There is currently no support for two-factor authentication when opening a LUKS device. However, there will probably be at some point in the future.

LUKS itself doesn’t have any notion of needing two “passwords” (passphrases, key files, TPM keys...) to access a given device; it only knows about key slots, and one of those is sufficient to unlock a device. Tools which add support for other authentication mechanisms than those supported by LUKS piggy-back on top of this, and since they provide the extra authentication, the best place to require a PIN of some sort would probably be there. The developers of both Clevis and systemd are aware that there is interest:

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.