diff --git a/modules/ROOT/pages/tips-and-tricks.adoc b/modules/ROOT/pages/tips-and-tricks.adoc index 0d71866..f8705a9 100644 --- a/modules/ROOT/pages/tips-and-tricks.adoc +++ b/modules/ROOT/pages/tips-and-tricks.adoc @@ -160,3 +160,20 @@ or setup shell `alias`es as needed to make them available to the CLI like so: $ alias evince="flatpak run org.gnome.Evince" # or alias evince="org.gnome.Evince" $ evince + +== Enabling TPM2 for LUKS + +It is possible to use the TPM2 device in your machine to automatically decrypt your LUKS-encrypted device. It is important to note a few things regarding this setup: first, it is trading security for convenience. Anyone who has access to both the disk and the TPM2 device can unlock your data. Second, it is crucial to keep a LUKS passphrase in addition to the TPM2 device that you can use to unlock the LUKS device; if you update BIOS, or the kernel shim, or make other substantial changes to your device, the TPM will refuse to sign your session and you will fall back to manually entering a LUKS passphrase. In this case, you can re-enable TPM2 for unlocking by re-running the enroll command below. This tip assumes you have a single LUKS device created during the Anaconda installer; if you have more than one LUKS device, you will need to correctly identify the device you want to enroll. + +To set up TPM2 unlocking, first, find the LUKS device you want to enroll. This is probably in `/etc/crypttab`. You can also use `sudo cryptsetup status /dev/mapper/luks*` to identify the device. + +Next, enable the required initramfs and kernel features. Note that the initramfs command below will overwrite any other initramfs changes you have made: + + $ sudo rpm-ostree kargs --append=rd.luks.options=tpm2-device=auto + $ sudo rpm-ostree initramfs --enable --arg=-a --arg=systemd-pcrphase + +Then, using the device you identified with 'crpysetup status' previously, enroll the device: + + $ sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 /dev/boot-device + +Reboot; you should not be prompted to enter your LUKS passphrase on boot.