[systemd-devel] dm-integrity volume with TPM key?
Lennart Poettering
lennart at poettering.net
Mon Oct 4 12:49:03 UTC 2021
On Do, 30.09.21 21:20, Sebastian Wiesner (sebastian at swsnr.de) wrote:
> Hello,
>
> thanks for quick reply, I guess this explains the lack of
> instructions
btw, coincidentally this was posted on github on the day you posted
this:
https://github.com/systemd/systemd/pull/20902
so hopefully we'll have te missing tools in place soon too.
> As a workaround you'd use a regular file key for dm-integrity and put
> that on a TPM-protected partition, if I understand you correctly?
yes.
> I.e. you'd
>
> 1. enable secureboot (custom keys or shim),
> 2. bundle kernel & initrd into signed UEFI image for systemd-boot,
> 3. make / a LUKS-encrypted parition with systemd-cryptenroll, bound to
> the TPM (perhaps PCR 0 and 7) aund unlocked automatically at boot,
only pcr 7, for the reasons explained in the blog story.
> 4. make /home a dm-integrity partition, with a regular keyfile from
> e.g. /etc/integrity.key (which is on the encrypted partition), and
actually, after thinking a bit more about this I figure the ultimate
path for this would be /etc/integritysetup-keys.d/home.key – because
we already implemented in systemd-cryptsetup a scheme where we search
for the encryption key for volume xyz in
/etc/cryptsetup-keys.d/xyz.key, and we should probably do it similar
for verity keys, too.
> 5. use homed for LUKS-encrypted home areas on /home?
>
> Does this sound reasonable?
Yes!
Lennart
--
Lennart Poettering, Berlin
More information about the systemd-devel
mailing list