0

I'm working on provisioning a server that requires full drive encryption and I want to automate the process of decrypting the drive at startup using the TPM2 module available on the motherboard, but I can't quite get the system to do so. I have a fresh install of CentOS 9 Stream that was created uing automated LVM partitioning of the only available drive, and it was encrypted as a LUKSv2.

After the installation of the OS, I made sure that clevis, clevis-luks, and dracut were installed. I also installed clevis-systemd and clevis-udisks2 just in case.

At this stage, running tpm2_pcrread reported the expected registers.

Then I binded the drive to clevis using the following command:

sudo clevis luks bind -d /dev/<drive> tmp2 '{"pcr_bank":"sha256","pcr_ids":"0,1,7"}'

No issue so far.

I then created a dracut config named tpm2.conf in /etc/dracut.config.d/ with:

add_dracutmodules+=" clevis clevis-pin-tpm2 crypt tpm2-tss "
install_items+=" /usr/bin/clevis "
hostonly="yes"

Then ran:

sudo dracut -f

At this stage, I thought that was all I needed, but it seems like it wasn't enough.

I then tried to boot with the grub options rd.luks.options=<luks-UUID>=tpm2-device=auto but that did nothing.

Any idea of what could be the issue?

Thank you

Thomas Gonnot
  • 1

1 Answers1

0

according to the documentation, no file in /etc/dracut.config.d/ is necessary. Try removing that file you created and regenerating the initramfs with dracut -f --regenerate-all.

If after doing that and rebooting it still does not work automatically decrypt the container (sometimes you need to be a bit patient, wait some time before entering the passphrase), then please post the output of both lsblk and of clevis luks list -d /dev/yourblockdevice you bound to the tpm2 chip.

natxo asenjo
  • 5,739
  • 2
  • 26
  • 27