Patchouli's Library

User Tools

Site Tools

Trace:
tech:cheatsheets:linux:luks

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
tech:cheatsheets:linux:luks [2024/01/15 07:32] – ↷ Page moved from infrastructure:cheatsheets:linux:luks to tech:cheatsheets:linux:luks waldemartech:cheatsheets:linux:luks [2024/09/27 07:46] (current) waldemar
Line 3: Line 3:
 <code bash> <code bash>
 cryptsetup luksOpen /dev/mmcblk1p3 mmcblk2p3_crypt cryptsetup luksOpen /dev/mmcblk1p3 mmcblk2p3_crypt
-mount /dev/vgkubuntu/root /target # use lvdisplay to find the volume+mount /dev/vgkubuntu/root /target # use lvdisplay and lsblk to find the volume
 </code> </code>
 +
 +==== Grow partition ====
 +Note: filesystem should not be mounted when resizing
 +  * https://www.redhat.com/sysadmin/resize-lvm-simple
 +===== Change key of encrypted partition =====
 +<code bash>
 +cryptsetup luksChangeKey /dev/sdX
 +</code>
 +
  
 ===== Extend encrypted partition ===== ===== Extend encrypted partition =====
Line 11: Line 20:
 ===== Setup automatic unlock ===== ===== Setup automatic unlock =====
 <code bash> <code bash>
-apt install -y initramfs clevis clevis-luks clevis-udisks2 clevis-systemd clevis-tpm2 clevis-initramfs+apt install -y clevis clevis-luks clevis-udisks2 clevis-systemd clevis-tpm2 clevis-initramfs
 clevis luks bind -d /dev/mmcblkp3 tpm2 '{"pcr_ids":"1,7","key":"rsa"}' clevis luks bind -d /dev/mmcblkp3 tpm2 '{"pcr_ids":"1,7","key":"rsa"}'
 systemctl enable clevis-luks-askpass.path systemctl enable clevis-luks-askpass.path
Line 17: Line 26:
 </code> </code>
  
 +==== Troubleshooting ====
 +If it doesn't work it might be due to wrong ''pcr_bank'' or ''key'' used.
 +The PCR banks can be checked with ''tpm2_pcrread''.
 ==== Regenerate ==== ==== Regenerate ====
 If automatic unlock does not work anymore it needs to be regenerated. If automatic unlock does not work anymore it needs to be regenerated.
Line 28: Line 40:
 clevis luks regen -d /dev/nvme0n1p3 -s 1 clevis luks regen -d /dev/nvme0n1p3 -s 1
 </code> </code>
 +
 +==== Change PCRs ====
 +To change PCRs you first need to delete the key and then re-add using the wanted PCRs.
 +
 +List the used slots:
 +<code bash>
 +clevis luks list -d /dev/nvme0n1p3
 +</code>
 +
 +Remove the slot:
 +<code bash>
 +clevis luks unbind -d /dev/nvme0n1p3 -s 1 -f
 +</code>
 +Note: ''-f'' will not ask for confirmation but is needed if there is no other slot set up.
 +
 +After that re-add the key like above.
  
 ===== References ===== ===== References =====
Line 36: Line 64:
   * https://wiki.archlinux.org/title/Clevis   * https://wiki.archlinux.org/title/Clevis
   * https://wiki.archlinux.org/title/Trusted_Platform_Module#Accessing_PCR_registers   * https://wiki.archlinux.org/title/Trusted_Platform_Module#Accessing_PCR_registers
 +  * https://www.tuxedocomputers.com/en/Infos/Help-Support/Instructions/Change-LUKS-encryption-password.tuxedo
 +  * https://discourse.nixos.org/t/full-disk-encryption-tpm2/29454/2
 +  * https://wiki.archlinux.org/title/Systemd-cryptenroll
  
tech/cheatsheets/linux/luks.1705303959.txt.gz · Last modified: by waldemar
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki