Encrypt root partition with LUKS and decrypt with TPM without password prompt
Posted on .
Tested on CentOS 6.5
From BIOS choose boot mode "Legacy Only" and check if TPM is enabled and install CentOS with encrypted root partition:
/dev/sda1 /boot /dev/sda2 swap /dev/sda3 / (encrypted)
Post install configuration:
# yum install tpm-tools
# /etc/init.d/tcsd start
(If TPM is not enabled or is missing will see error)
# tpm_takeownership -z
(If see error need to clear TPM because ownership has been taken already)
# wget --no-check-certificate https://projects.sirrix.com/svn/trustedgrub/release/TrustedGRUB-1.1.5.tar.gz
# tar zxvf TrustedGRUB-1.1.5.tar.gz
# cd TrustedGRUB-1.1.5/
# yum install automake gcc glibc-devel glibc-devel.i686 libgcc.i686
# ./build_tgrub.sh
# cp default /boot/grub/
# cd TrustedGRUB-1.1.5/
# make install
# rm -rf /boot/grub/stage*
# rm -rf /boot/grub/*1_5
# cp ./stage1/stage1 /boot/grub
# cp ./stage2/stage2 /boot/grub
# ./grub/grub --no-floppy
root (hd0,0) setup (hd0) quit# vi /usr/share/dracut/modules.d/90crypt/cryptroot-ask.sh
after line 104 add following:
if [ $ask_passphrase -ne 0 ]; then
/sbin/modprobe tpm_infineon
/bin/mknod -m 644 /dev/urandom c 1 9
ifconfig lo 127.0.0.1
/usr/sbin/tcsd -f &
sleep 3
mkdir /mnt
mount -t ext4 /dev/sda1 /mnt
/usr/bin/tpm_unsealdata -z -i /mnt/sealed_key | cryptsetup luksOpen "$device" "$luksname" && ask_passphrase=0
umount /mnt
fi
# vi /sbin/dracutedit line 335 to:
if ! ( umask 077; cd "$initdir"; find . |cpio -H newc -o --quiet| \# dracut --add-drivers tpm_infineon -I "/usr/sbin/tcsd /etc/tcsd.conf /usr/bin/tpm_unsealdata /var/lib/tpm/system.data /etc/passwd /etc/group /etc/nsswitch.conf /lib64/libnss_files.so.2 /etc/hosts /lib64/libnss_dns.so.2 /sbin/ifconfig" luks-2.6.32-431.el6.x86_64.img
(Use version number of running kernel)
# cp luks-2.6.32-431.el6.x86_64.img /boot
# vi /boot/grub/menu.lst
Replace initramfs with luks# reboot
Add LUKS password and login.
# killall tcsd
# /etc/init.d/tcsd start
# echo YourLUKSpassword | tpm_sealdata -z -p 4 -p 8 -p 9 -p 12 -p 14 -o /boot/sealed_key
# history -c
(Clear YourLUKSPassword from bash history)
# reboot
System will boot without password prompt for LUKS.
----------------------
Few steps should be changed and the example from above will work on Ubuntu 14.04
# apt-get install automake gcc-multilib texinfo
In TrustedGRUB-1.1.5/stage[12]/Makefile.am replace 'pkglib_DATA' with 'pkgdata_DATA' otherwise TrustedGRUB will not compile.
Create /boot/grub/menu.lst
default=0
timeout=5
title Ubuntu
root (hd0,0)
kernel /vmlinuz-3.16.0-30-generic root=/dev/mapper/ubuntu--vg-root ro quiet
initrd /initrd.img-3.16.0-30-generic
# vim /usr/share/initramfs-tools/scripts/local-top/cryptroot
Add at line 251
if [ $count -eq 1 ]; then
modprobe -q tpm_infineon
mknod /dev/tpm c 10 224
ifconfig lo 127.0.0.1
mkdir /mnt
mount /dev/sda1 /mnt
mkdir -p /var/lib/tpm
cp /mnt/system.data /var/lib/tpm
tcsd
sleep 3
tpm_unsealdata -z -i /mnt/sealed_key | cryptsetup luksOpen "$cryptsource" "$crypttarget" && ask_passphrase=0
umount /mnt
fi
Replace lineif [ -z "$cryptkeyscript" ]with
if [ -z "$cryptkeyscript" ] && [ $ask_passphrase -eq 1 ]; thenReplace line
if [ ! -e "$NEWROOT" ]with
if [ ! -e "$NEWROOT" ] && [ $ask_passphrase -eq 1 ]; then# vim /usr/sbin/mkinitramfs
Add at line 296
copy_exec /usr/sbin/tcsd /sbin
copy_exec /usr/bin/tpm_unsealdata /sbin
copy_exec /etc/passwd /etc
copy_exec /etc/group /etc
copy_exec /etc/hosts /etc
copy_exec /etc/nsswitch.conf /etc
copy_exec /lib/x86_64-linux-gnu/libnss_files.so.2 /lib
copy_exec /lib/x86_64-linux-gnu/libnss_dns.so.2 /lib
# cp /var/lib/tpm/system.data /boot
