Clevis
Created: July 20, 2020
Installation:
dnf install clevis clevis-luks clevis-dracut clevis-udisks2 clevis-systemd
Unlock a LUKS Encrypted Root Volume Automatically
- Identify the volume to unlock with the
lsblkcommand. - The target volume will be the parent of the
cryptvolume. - Bind a LUKS key slot to the TPM with Clevis:
# clevis luks bind -d /dev/TARGET tpm2 '{"pcr_ids":"0,1,2,3,4,5,6,7"}' - Re-build initramfs:
# dracut -f
PCR ID Descriptions
| PCR ID | Description |
|---|---|
| 0 | Firmware |
| 1 | Firmware configuration |
| 2 | Option ROMs |
| 3 | Option ROMs configuration |
| 4 | MBR |
| 5 | MBR Configuration |
| 6 | State transition |
| 7 | Platform-specific |
| 8 - 15 | Operating System reserved |
| 16 | Debug |
| 23 | Applications |
Upgrading with an Automatically Unlocked Encrypted Root Volume
- When an upgrade is performed and a PCR changes the LUKS key must be removed and re-added.
- Find the key slot being used for the TPM via:
crypsetup luksDump /dev/TARGET - Remove the key slot:
# clevis luks unbind -d /dev/TARGET -s KEYSLOT_NUMBER - Re-add the key slot as per above.