4

I am currently aware of two recent methods to bind a LUKS encrypted root partition to a TPM2: systemd-cryptenroll and clevis. Both of them seem to release the encryption key after successfully checking the PCRs the key was sealed against.

But I don't like the idea of the volume being decrypted without user interaction. I'd rather have a solution like it is offered by BitLocker for Windows: Either TPM and an additional PIN or a recovery key.

Even though I searched the web quite exhaustively I was not able to find any hints in this direction. Is anybody aware of a solution?

EDIT: There is a --recovery-key option for systemd-cryptenroll. I'm only concerned with the question how to get an additional PIN requirement when using the TPM.

Simon
  • 175
  • 2
  • 10

2 Answers2

5

2022-05-21 - systemd v251

Support for TPM2 + PIN has been merged in systemd-cryptenroll and is available as part of release v251.

Changes in disk encryption:

  • systemd-cryptenroll can now control whether to require the user to enter a PIN when using TPM-based unlocking of a volume via the new --tpm2-with-pin= option.

    Option tpm2-pin= can be used in /etc/crypttab.

Source

Christoph Wegener
  • 166
  • 1
  • 4
2

There is currently no support for two-factor authentication when opening a LUKS device. However, there will probably be at some point in the future.

LUKS itself doesn’t have any notion of needing two “passwords” (passphrases, key files, TPM keys...) to access a given device; it only knows about key slots, and one of those is sufficient to unlock a device. Tools which add support for other authentication mechanisms than those supported by LUKS piggy-back on top of this, and since they provide the extra authentication, the best place to require a PIN of some sort would probably be there. The developers of both Clevis and systemd are aware that there is interest:

Stephen Kitt
  • 411,918
  • 54
  • 1,065
  • 1,164