[systemd-devel] [Question] Create and (re)encrypt LUKS partition directly with hw token

Claudius Heine ch at denx.de
Tue Jun 17 08:33:59 UTC 2025 

Hi Lennart,

On Tue Jun 17, 2025 at 10:24 AM CEST, Lennart Poettering wrote:
> On Di, 17.06.25 09:15, Claudius Heine (ch at denx.de) wrote:
>
>> Hi,
>>
>> I am currently looking for a way to directly create and encrypt a LUKS
>> partition using a hardware token (TPM2, in this case) without requiring
>> an intermediary password/keyfile.
>>
>> IIUC, cryptsetup doesn't communicate with any hardware tokens, or
>> creates keys in them, while systemd-cryptenroll doesn't create or
>> (re)encrypts LUKS partitions.
>>
>> So there is a feature gap here.
>>
>> The currently only work around I found is manually creating a password,
>> storing it in the TPM2 using tpm2-tools, using it with cryptsetup to
>> create and (re)encrypt the LUKS partition, and then afterwards use
>> systemd-cryptenroll to insert the correct TPM2 token and delete the
>> temporary password. (See [1])
>>
>> The main goal here is writing an initial provisioning script that runs
>> inside an initramfs environment and makes sure that all partitions are
>> encrypted using the TPM2, by either creating a new empty LUKS partition
>> or by reencrypting a plain text partition. The initial encryption
>> password needs to be random and stored persistently and securely, to
>> allow continuing the encryption process on power cut scenarios and that
>> is where the tpm2-tools scripting comes in. If we could avoid having to
>> deal with initial encryption password vs. final hardware token in the
>> future, that would be great.
>>
>> Is this a known issue? Are there any plans for this? I searched the
>> systemd issue tracker on github, but couldn't find anything like this.
>
> systemd-repart seems to be what you are looking for. It can
> create partitions at boot them, set up LUKS for them, lock them to TPM
> and put a file system inside. It's really the tool of choice if you
> want to augment disk images at first boot wit local keys that never
> leave the host.
>
> if you let systemd-repart do its thing you never have to enroll any
> intermediary key or deal with volume keys or so, repart deals with
> that and locks immediately and only to TPM.

Thanks for the hint. I used systemd-repart before, but didn't connect it
with the cryptsetup requirements.

Hmm... There is an RFC for letting systemd-repart support reencryption
of existing LUKS partitions [1]. So I guess that isn't quite there yet,
right?

regards,
Claudius

1: https://github.com/systemd/systemd/pull/29731




-- 
DENX Software Engineering GmbH,        Managing Director: Erika Unter
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-54 Fax: (+49)-8142-66989-80 Email: ch at denx.de

More information about the systemd-devel mailing list