2

I cannot figure out how to get clevis to auto-decrypt my root partition on boot.

What I want

I want to use the TPM2 chip on my kali PC to have an encrypted disk that self-decrypt on boot. The main purpose is to prevent the data leak in case of stolen drive/computer.

What I did

I first encrypted in luks1 my / partition (/dev/sda2) from a bootable drive using cryptsetup-reencrypt I edited grub config, fstab and crypttab, ran update-grub and update-initramfs.

This allowed me to boot on the encrypted root partition, and asks me for luks password twice

I then installed clevis and binded luks to the TPM using : sudo clevis luks bind -d /dev/sda2 tpm2 '{"pcr_bank":"sha256","pcr_ids":"7"}'

I can see that it used a new keyslot on luks header. I activated the service 'clevis-luks-askpass.path, updated grub and initramfs again.

But on reboot, I'm still prompted for a password. I tried waiting a few minutes but nothing happens.

Am I missing something ?

What I Have

Partitions : I have everything in the same partition (including /boot). The only other partition is the efi

Filesystem

$ lsblk -fs     
                    
NAME    FSTYPE      FSVER LABEL UUID                                 FSAVAIL FSUSE% MOUNTPOINTS
sda1    vfat        FAT32       08C3-0099                             510,8M     0% /boot/efi
└─sda                                                                               
root    ext4        1.0         55d30c15-a2a5-4721-b679-0e8746c54768  183,6G    16% /
└─sda2  crypto_LUKS 1           49e3950a-b1a9-449e-aeec-757bba148a84                
  └─sda

Grub

$ cat /etc/default/grub

GRUB_DEFAULT=0
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`
GRUB_CMDLINE_LINUX_DEFAULT=""
GRUB_CMDLINE_LINUX=""
GRUB_ENABLE_CRYPTODISK=y
GRUB_PRELOAD_MODULES="luks cryptodisk"

Fstab

$ cat /etc/fstab

# /boot/efi was on /dev/sda1 during installation
UUID=08C3-0099  /boot/efi       vfat    umask=0077      0       1
# swap was on /dev/sda3 during installation
/swapfile       none            swap    sw              0       0

# new root
UUID=49e3950a-b1a9-449e-aeec-757bba148a84 / ext4 errors=remount-ro 0 1

Crypttab

$ cat /etc/crypttab
# <target name> <source device>         <key file>      <options>
root UUID=49e3950a-b1a9-449e-aeec-757bba148a84 none luks

Clevis packages

$ apt list --installed | grep clevis

clevis-initramfs/kali-rolling,now 18-2+b1 amd64  [installed]
clevis-luks/kali-rolling,now 18-2+b1 amd64  [installed]
clevis-systemd/kali-rolling,now 18-2+b1 amd64  [installed]
clevis-tpm2/kali-rolling,now 18-2+b1 amd64  [installed]
clevis/kali-rolling,now 18-2+b1 amd64  [installed]

clevis-luks-askpass.path

$ sudo systemctl status clevis-luks-askpass.path

● clevis-luks-askpass.path - Forward Password Requests to Clevis Directory Watch
     Loaded: loaded (/lib/systemd/system/clevis-luks-askpass.path; enabled; vendor preset: enabled)
     Active: active (waiting) since Wed 2022-07-06 14:10:04 CEST; 1h 16min ago
      Until: Wed 2022-07-06 14:10:04 CEST; 1h 16min ago
   Triggers: ● clevis-luks-askpass.service
       Docs: man:clevis-luks-unlockers(7)

Notice: journal has been rotated since unit was started, output may be incomplete.

lsb_release

$ lsb_release -a

No LSB modules are available.
Distributor ID: Kali
Description:    Kali GNU/Linux Rolling
Release:    2022.2
Codename:   kali-rolling
Jeff Schaller
  • 66,199
  • 35
  • 114
  • 250
Raphael
  • 21
  • 3
  • Is this one of those famous Kali user questions on StackOverflow? `clevis-luks-askpass.path` is most probably not included in initramfs as most probably there is no systemd in a Debian Initramfs yet. Also your TPM chip is inside the PC and will be stolen with it. Stealing only the drive is a much harder task. – thomas Nov 16 '22 at 00:24

0 Answers0