[systemd-devel] [Question] Create and (re)encrypt LUKS partition directly with hw token
Lennart Poettering
lennart at poettering.net
Tue Jun 17 08:24:59 UTC 2025
On Di, 17.06.25 09:15, Claudius Heine (ch at denx.de) wrote:
> Hi,
>
> I am currently looking for a way to directly create and encrypt a LUKS
> partition using a hardware token (TPM2, in this case) without requiring
> an intermediary password/keyfile.
>
> IIUC, cryptsetup doesn't communicate with any hardware tokens, or
> creates keys in them, while systemd-cryptenroll doesn't create or
> (re)encrypts LUKS partitions.
>
> So there is a feature gap here.
>
> The currently only work around I found is manually creating a password,
> storing it in the TPM2 using tpm2-tools, using it with cryptsetup to
> create and (re)encrypt the LUKS partition, and then afterwards use
> systemd-cryptenroll to insert the correct TPM2 token and delete the
> temporary password. (See [1])
>
> The main goal here is writing an initial provisioning script that runs
> inside an initramfs environment and makes sure that all partitions are
> encrypted using the TPM2, by either creating a new empty LUKS partition
> or by reencrypting a plain text partition. The initial encryption
> password needs to be random and stored persistently and securely, to
> allow continuing the encryption process on power cut scenarios and that
> is where the tpm2-tools scripting comes in. If we could avoid having to
> deal with initial encryption password vs. final hardware token in the
> future, that would be great.
>
> Is this a known issue? Are there any plans for this? I searched the
> systemd issue tracker on github, but couldn't find anything like this.
systemd-repart seems to be what you are looking for. It can
create partitions at boot them, set up LUKS for them, lock them to TPM
and put a file system inside. It's really the tool of choice if you
want to augment disk images at first boot wit local keys that never
leave the host.
if you let systemd-repart do its thing you never have to enroll any
intermediary key or deal with volume keys or so, repart deals with
that and locks immediately and only to TPM.
Lennart
--
Lennart Poettering, Berlin
More information about the systemd-devel
mailing list