Does Ubuntu support unlocking full-disk encrypted internal drive(s) automatically with TPM?

2FA · March 14, 2022, 5:17pm

I set this up on our Linux servers using LUKS and Clevis. When you first setup LUKS encryption, you set a password which will persist after you setup TPM auto-unlock in case the TPM cannot be contacted. Admittedly I don’t think there is a way to easily add encryption in place onto an existing installation like Bitlocker does.

oO.o · March 14, 2022, 5:56pm

For anyone who’s interested (not Ubuntu but it’s a thorough guide):

risk · March 14, 2022, 6:02pm

There’s multiple key slots. One can be a piece of randomness stored in TPM, another can be a passphrase you enter over a keyboard, third can be yet another passphrase or a key stored in a file on a USB flash stick.

You can add/revoke keys on the fly pretty much.

2FA · March 14, 2022, 6:10pm

Annoyingly, nmap and/or netcat aren’t package dependencies of clevis-dracut despite it requiring the netcat command. That threw me for a loop the first time I set it up.

oO.o · March 14, 2022, 6:15pm

Big dumb. Which distro?

2FA · March 14, 2022, 7:37pm

Alma Linux 8 but I would presume it’s the same with the other RHEL8 clones.

aj0413 · March 14, 2022, 10:52pm

Why’d you go the TPM route? TPM makes sense for windows boxes and other MSFT stuff, but doesn’t Linux have better supported solutions?

2FA · March 14, 2022, 11:10pm

You mean like a Tang server or something? This is on a Hyper-V cluster and I primarily run Windows boxes, we only have like five Linux servers currently and only four of those I’m responsible for compared to the 30 Windows servers I maintain and then there are another 20 Windows servers that are vendor maintained. The numbers are mainly for reference as to why I chose TPM. We have a lot of big projects going on right now so I don’t have a lot of time to invest in figuring some of that stuff out.

aj0413 · March 14, 2022, 11:12pm

Ah. Yeah that makes sense.

A working, known, consistent solution > new hotness

Four0Four · March 14, 2022, 11:12pm

If you have a compatible TPM 2.0 chip, I believe you can use systemd-cryptenroll to do exactly as you’re describing. systemd-cryptenroll --tpm2-device=auto will enroll and store a key in TPM for automatically unlocking a LUKS volume. In addition you can still use your existing passphrase or create a recovery key which functions similar to Bitlocker’s recovery key. Unfortunitally I don’t have a compatible TPM chip to test this first, but I can confirm Ubuntu does have the systemd-cryptenroll package installed by default. Be sure to read thoroughly on the topic before inserting random commands into your terminal.