[systemd-devel] [Question] Create and (re)encrypt LUKS partition directly with hw token
Claudius Heine
ch at denx.de
Tue Jun 17 07:15:30 UTC 2025
Hi,
I am currently looking for a way to directly create and encrypt a LUKS
partition using a hardware token (TPM2, in this case) without requiring
an intermediary password/keyfile.
IIUC, cryptsetup doesn't communicate with any hardware tokens, or
creates keys in them, while systemd-cryptenroll doesn't create or
(re)encrypts LUKS partitions.
So there is a feature gap here.
The currently only work around I found is manually creating a password,
storing it in the TPM2 using tpm2-tools, using it with cryptsetup to
create and (re)encrypt the LUKS partition, and then afterwards use
systemd-cryptenroll to insert the correct TPM2 token and delete the
temporary password. (See [1])
The main goal here is writing an initial provisioning script that runs
inside an initramfs environment and makes sure that all partitions are
encrypted using the TPM2, by either creating a new empty LUKS partition
or by reencrypting a plain text partition. The initial encryption
password needs to be random and stored persistently and securely, to
allow continuing the encryption process on power cut scenarios and that
is where the tpm2-tools scripting comes in. If we could avoid having to
deal with initial encryption password vs. final hardware token in the
future, that would be great.
Is this a known issue? Are there any plans for this? I searched the
systemd issue tracker on github, but couldn't find anything like this.
Thanks and kind regards,
Claudius
1: https://lore.kernel.org/cip-dev/ad98c6ad-d8e4-4e04-8e15-8281b087c88f@siemens.com/T/#m320ffc3f162bae421ed5f83f13ce45bb4406a9b8
--
DENX Software Engineering GmbH, Managing Director: Erika Unter
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-54 Fax: (+49)-8142-66989-80 Email: ch at denx.de
More information about the systemd-devel
mailing list