I set this up on our Linux servers using LUKS and Clevis. When you first setup LUKS encryption, you set a password which will persist after you setup TPM auto-unlock in case the TPM cannot be contacted. Admittedly I don’t think there is a way to easily add encryption in place onto an existing installation like Bitlocker does.
For anyone who’s interested (not Ubuntu but it’s a thorough guide):
There’s multiple key slots. One can be a piece of randomness stored in TPM, another can be a passphrase you enter over a keyboard, third can be yet another passphrase or a key stored in a file on a USB flash stick.
You can add/revoke keys on the fly pretty much.
Annoyingly, nmap and/or netcat aren’t package dependencies of clevis-dracut despite it requiring the netcat command. That threw me for a loop the first time I set it up.
Big dumb. Which distro?
Alma Linux 8 but I would presume it’s the same with the other RHEL8 clones.
Why’d you go the TPM route? TPM makes sense for windows boxes and other MSFT stuff, but doesn’t Linux have better supported solutions?
You mean like a Tang server or something? This is on a Hyper-V cluster and I primarily run Windows boxes, we only have like five Linux servers currently and only four of those I’m responsible for compared to the 30 Windows servers I maintain and then there are another 20 Windows servers that are vendor maintained. The numbers are mainly for reference as to why I chose TPM. We have a lot of big projects going on right now so I don’t have a lot of time to invest in figuring some of that stuff out.
Ah. Yeah that makes sense.
A working, known, consistent solution > new hotness
If you have a compatible TPM 2.0 chip, I believe you can use systemd-cryptenroll
to do exactly as you’re describing. systemd-cryptenroll --tpm2-device=auto
will enroll and store a key in TPM for automatically unlocking a LUKS volume. In addition you can still use your existing passphrase or create a recovery key which functions similar to Bitlocker’s recovery key. Unfortunitally I don’t have a compatible TPM chip to test this first, but I can confirm Ubuntu does have the systemd-cryptenroll
package installed by default. Be sure to read thoroughly on the topic before inserting random commands into your terminal.