Most of the time when I used Linux at home, I had my OS disk and partitions encrypted and decrypted them with a password at boot time. This worked fine, but I also wanted to try other methods, such as automatic unlocking with a Yubikey or a TPM.

A quick look at the Arch Wiki on “Trusted Platform Module” didn’t necessarily show me how to automatically decrypt my partitions when all conditions are met, similar to Bitlocker on Windows.

After a few tests on my machine, I was able to summarize all the steps:

Setup

Some of the steps are only required once and work on other distributions as well.

Step 1: Configure GRUB to include the TPM kernel module and PCR measurement

# Replace /dev/tpmrm0 with your TPM device
systemd-cryptenroll --tpm2-device=list
export TPM_DEVICE="/dev/tpmrm0"
grubby --update-kernel=ALL --args="rd.luks.options=tpm2-device=${TPM_DEVICE},tpm2-measure-pcr=yes"
grub2-mkconfig -o /boot/grub2/grub.cfg
dracut --force --regenerate-all

Step 2: Find the LUKS devices you want to add the TPM to

This steps neeeds to be repeated for every LUKS device you want to add the TPM to.

nevo@fedora:~$ systemd-cryptenroll --list-devices | grep "/by-uuid/" | grep -v "/by-path/"
/dev/disk/by-uuid/6a40bc84-cf82-4ab8-bd17-b126a63298af
    
nevo@fedora:~$ export LUKS_UUID="6a40bc84-cf82-4ab8-bd17-b126a63298af" # <<-- Replace the UUID with yours

In all subsequent commands, replace the UUID from the above excerpt with the UUID of your LUKS device.

Step 3: Add the TPM configuration to your /etc/crypttab

echo "luks-${LUKS_UUID} UUID=${LUKS_UUID} - tpm2-device=${TPM_DEVICE},discard" >> /etc/crypttab

Step 3: Find the PCRs you want to use

This setting is highly individual, but extremely important: unless configured otherwise or if the chip is reset, the Trusted Platform Module would decrypt the partitions without hesitation.

To prevent this, the unsealing can be linked to so-called “PCRs” (Platform Configuration Registers). The TPM would only unseal the key if all PCRs meet the specified conditions. You can display the current value of the PCRs with sudo tpm2_pcrlist. For more information about PCRs and their use, see the Arch Wiki.

Step 4: Add the TPM to the LUKS device

In this example, we bind the TPM only to PCR7+8 (Secure Boot State + Hash of the kernel command line). The last argument (--tpm2-with-pin=false) allows you to optionally specify a PIN that is used in addition to the validation of the PCRs. Without the PIN, the partition cannot be decrypted.

Caution! Keep your existing password or your keyfile save, even if the TPM is set up, just as you should keep the BitLocker recovery key in Microsoft Windows.

systemd-cryptenroll \
  "/dev/disk/by-uuid/${LUKS_UUID}" \
  --tpm2-device=${TPM_DEVICE} \
  --tpm2-pcrs=7+8 \
  --tpm2-with-pin=false

Revert the changes

If you want to remove the TPM for unlocking your LUKS partition, you can simply run:

systemd-cryptenroll "/dev/disk/by-uuid/${LUKS_UUID}" --wipe-slot tpm2

Final thoughts

To make the matter easier, I’ve created a script that automates the steps above: https://github.com/cpuschma/fedora-luks-tpm

Setup#

Step 1: Configure GRUB to include the TPM kernel module and PCR measurement#

Step 2: Find the LUKS devices you want to add the TPM to#

Step 3: Add the TPM configuration to your /etc/crypttab#

Step 3: Find the PCRs you want to use#

Step 4: Add the TPM to the LUKS device#

Revert the changes#

Final thoughts#