Hi Lennart, On Tue Jun 17, 2025 at 10:24 AM CEST, Lennart Poettering wrote: > On Di, 17.06.25 09:15, Claudius Heine (c...@denx.de) wrote: > >> Hi, >> >> I am currently looking for a way to directly create and encrypt a LUKS >> partition using a hardware token (TPM2, in this case) without requiring >> an intermediary password/keyfile. >> >> IIUC, cryptsetup doesn't communicate with any hardware tokens, or >> creates keys in them, while systemd-cryptenroll doesn't create or >> (re)encrypts LUKS partitions. >> >> So there is a feature gap here. >> >> The currently only work around I found is manually creating a password, >> storing it in the TPM2 using tpm2-tools, using it with cryptsetup to >> create and (re)encrypt the LUKS partition, and then afterwards use >> systemd-cryptenroll to insert the correct TPM2 token and delete the >> temporary password. (See [1]) >> >> The main goal here is writing an initial provisioning script that runs >> inside an initramfs environment and makes sure that all partitions are >> encrypted using the TPM2, by either creating a new empty LUKS partition >> or by reencrypting a plain text partition. The initial encryption >> password needs to be random and stored persistently and securely, to >> allow continuing the encryption process on power cut scenarios and that >> is where the tpm2-tools scripting comes in. If we could avoid having to >> deal with initial encryption password vs. final hardware token in the >> future, that would be great. >> >> Is this a known issue? Are there any plans for this? I searched the >> systemd issue tracker on github, but couldn't find anything like this. > > systemd-repart seems to be what you are looking for. It can > create partitions at boot them, set up LUKS for them, lock them to TPM > and put a file system inside. It's really the tool of choice if you > want to augment disk images at first boot wit local keys that never > leave the host. > > if you let systemd-repart do its thing you never have to enroll any > intermediary key or deal with volume keys or so, repart deals with > that and locks immediately and only to TPM.
Thanks for the hint. I used systemd-repart before, but didn't connect it with the cryptsetup requirements. Hmm... There is an RFC for letting systemd-repart support reencryption of existing LUKS partitions [1]. So I guess that isn't quite there yet, right? regards, Claudius 1: https://github.com/systemd/systemd/pull/29731 -- DENX Software Engineering GmbH, Managing Director: Erika Unter HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany Phone: (+49)-8142-66989-54 Fax: (+49)-8142-66989-80 Email: c...@denx.de
