Hi, I am currently looking for a way to directly create and encrypt a LUKS partition using a hardware token (TPM2, in this case) without requiring an intermediary password/keyfile.
IIUC, cryptsetup doesn't communicate with any hardware tokens, or creates keys in them, while systemd-cryptenroll doesn't create or (re)encrypts LUKS partitions. So there is a feature gap here. The currently only work around I found is manually creating a password, storing it in the TPM2 using tpm2-tools, using it with cryptsetup to create and (re)encrypt the LUKS partition, and then afterwards use systemd-cryptenroll to insert the correct TPM2 token and delete the temporary password. (See [1]) The main goal here is writing an initial provisioning script that runs inside an initramfs environment and makes sure that all partitions are encrypted using the TPM2, by either creating a new empty LUKS partition or by reencrypting a plain text partition. The initial encryption password needs to be random and stored persistently and securely, to allow continuing the encryption process on power cut scenarios and that is where the tpm2-tools scripting comes in. If we could avoid having to deal with initial encryption password vs. final hardware token in the future, that would be great. Is this a known issue? Are there any plans for this? I searched the systemd issue tracker on github, but couldn't find anything like this. Thanks and kind regards, Claudius 1: https://lore.kernel.org/cip-dev/ad98c6ad-d8e4-4e04-8e15-8281b087c...@siemens.com/T/#m320ffc3f162bae421ed5f83f13ce45bb4406a9b8 -- DENX Software Engineering GmbH, Managing Director: Erika Unter HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany Phone: (+49)-8142-66989-54 Fax: (+49)-8142-66989-80 Email: c...@denx.de
