-
Notifications
You must be signed in to change notification settings - Fork 1
/
tpm2_encryption
77 lines (52 loc) · 3.6 KB
/
tpm2_encryption
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
## Part 1: Creating the password
pwgen 25 1 -A -s | fold -w5 | echo $(cat) | tr " " - >> rpool.pass
# You can use this passphrase when installing Ubuntu. If you did not do that, you would have to change your zfs passphrase to the one in rpool.pass before continuing
## Part 2, based on https://tpm2-software.github.io/2020/04/13/Disk-Encryption.html
# Part 2.1 Taking ownership (optional)
sudo tpm2_changeauth -c owner ***MY_PASSPHRASE***
sudo tpm2_changeauth -c endorsement ***MY_PASSPHRASE*_ENDORSEMENT**
sudo tpm2_changeauth -c lockout ***MY_PASSPHRASE_LOCKOUT***
# Part 2.2 Encryption
# (1) Get a new set of PCR
sudo tpm2_startauthsession -S session.ctx
sudo tpm2_policypcr -Q -S session.ctx -l sha256:0 -L pcr0.sha256.policy
sudo tpm2_flushcontext session.ctx
# (2) Sign the pcr policy with signer private key
openssl genrsa -out signing_key_private.pem 2048
openssl rsa -in signing_key_private.pem -out signing_key_public.pem -pubout
# (3) Initialize the policy name, which is a digest of the TCG public key format of the public key to include in the policy
sudo tpm2_loadexternal -G rsa -C o -u signing_key_public.pem -c signing_key.ctx -n signing_key.name
# (4) Create a signer policy
sudo tpm2_startauthsession -S session.ctx
sudo tpm2_policyauthorize -S session.ctx -L authorized.policy -n signing_key.name -i pcr0.sha256.policy
sudo tpm2_flushcontext session.ctx
# (5) Create primary object
sudo tpm2_createprimary --hierarchy=o --key-algorithm=rsa --key-context=prim.ctx -P ***MY_PASSPHRASE***
# If needed, check what handles of the persistent objects are in use (might be useful for the next step)
sudo tpm2_getcap handles-persistent
# (6) Create a sealing object with the authorized policy which will also require the sealing secret
cat rpool.pass | sudo tpm2_create -g sha256 -u auth_pcr_seal_key.pub -r auth_pcr_seal_key.priv -i- -C prim.ctx -L authorized.policy
# (7) Create a new sealing object with the policy_authorize policy associated with signer public key
sudo tpm2_load -Q -C prim.ctx -u auth_pcr_seal_key.pub -r auth_pcr_seal_key.priv -n auth_pcr_seal_key.name -c auth_pcr_seal_key.ctx
# Make the created transient object persistent
sudo tpm2_evictcontrol -c auth_pcr_seal_key.ctx 0x81010001 -C o -P ***MY_PASSPHRASE***
# (8) Sign the pcr_policy with the signer private key
openssl dgst -sha256 -sign signing_key_private.pem -out pcr0.signature pcr0.sha256.policy
# (9) Load the signer public key to the tpm and verify the signature on the pcr and get the tpm verification tkt
sudo tpm2_loadexternal -G rsa -C o -u signing_key_public.pem -c signing_key.ctx -n signing_key.name
sudo tpm2_verifysignature -c signing_key.ctx -g sha256 -m pcr0.sha256.policy -s pcr0.signature -t verification.tkt -f rsassa
# Part 2.3 Decryption
# Satisfy the authorized policy and then run policyauthorize
sudo tpm2_startauthsession --policy-session -S session.ctx
sudo tpm2_policypcr -l sha256:0 -S session.ctx
sudo tpm2_policyauthorize -S session.ctx -i pcr0.sha256.policy -n signing_key.name -t verification.tkt
# Unseal your passphrase
sudo tpm2_unseal -p session:session.ctx -c 0x81010001
sudo tpm2_flushcontext session.ctx
# Part 3 Loading ZFS pool passphrase on boot
# (1) Add a custom script /etc/initramfs-tools/hooks/decryptkey to copy required executables and libraries to initramfs
# (2) Add the decryption lines (Part 2.3) to /usr/share/initramfs-tools/scripts/zfs after the following line
# `if [ "$(zpool list -H -o feature@encryption $(echo "${fs}" | awk -F\/ '{print $1}'))" = 'active' ]; then`
# Note: you also need to reference here the location of files required for decryption
# (3) Update initramfs
sudo update-initramfs -u