https://blog.dowhile0.org/2017/10/18/automatic-luks-volumes-unlocking-using-...
The use of clevis to bind a LUKS volume to a TPM2 device isn't very well documented, but a few articles and blogs provide working examples for a single LUKS volume:
"clevis luks bind -d /dev/sda3 tpm2 '{"pcr_ids":"7"}'"
Does anyone know if it's possible to bind two volumes and unlock them both at boot, using the TPM2 device?
On Tue, Dec 22, 2020, 12:59 AM Gordon Messmer gordon.messmer@gmail.com wrote:
https://blog.dowhile0.org/2017/10/18/automatic-luks-volumes-unlocking-using-...
The use of clevis to bind a LUKS volume to a TPM2 device isn't very well documented, but a few articles and blogs provide working examples for a single LUKS volume:
"clevis luks bind -d /dev/sda3 tpm2 '{"pcr_ids":"7"}'"
Does anyone know if it's possible to bind two volumes and unlock them both at boot, using the TPM2 device?
Lennart was working on this a while ago in systemd. I'm not sure how far along it is. Could git clone it and then:
git log --grep=TPM2
I'm not sure how to do case insensitive with git's grep. I know he was also working on security key support for sd-homed and possible sd-cryptsetup.
Anyway, this is something Workstation WG has been looking at in particular for encrypting system root. That way a user entered passphrase isnt needed to boot. And the user login passphrase unlocks just that user's home.
-- Chris Murphy
Chris Murphy wrote:
Lennart was working on this a while ago in systemd. I'm not sure how far along it is. Could git clone it and then:
git log --grep=TPM2
I'm not sure how to do case insensitive with git's grep.
The -i option does the trick (or --regexp-ignore-case for those who like the long-form), e.g.:
git log -i --grep TPM2
That finds 11 matches on the current master branch of systemd versus 6 when searching for TPM2 without -i.