Cryptenroll

systemd-cryptenroll¶

https://gist.github.com/chrisx8/cda23e2d1fa3dcda0d739bc74f600175
https://0pointer.net/blog/unlocking-luks2-volumes-with-tpm2-fido2-pkcs11-security-hardware-on-systemd-248.html

Setting up with FIDO2¶

Install fido2 lib:

yay -S libfido2

List fido2 devices:

[gen0@gen0 tmp]$ sudo systemd-cryptenroll --fido2-device=list
PATH         MANUFACTURER PRODUCT              
/dev/hidraw2 Yubico       YubiKey OTP+FIDO+CCID

Adding the Info to LUKS2 Header:

systemd-cryptenroll --fido2-device=auto /dev/sda5

Modifying the crypttab:

>>> cat /etc/crypttab
myvolume /dev/sda5 - fido2-device=auto

Setting up with Yubikey PKCS#11¶

Generate Key:

#Genrate Key
ykman piv reset
ykman piv generate-key -a RSA2048 9d pubkey.pem
ykman piv generate-certificate --subject "Knobelei" 9d pubkey.pem
rm pubkey.pem

Adding the Info to LUKS2 Header:

systemd-cryptenroll --pkcs11-token-uri=auto /dev/sda5

Modifying the crypttab:

>>> cat /etc/crypttab
myvolume /dev/sda5 - pkcs11-uri=auto

Setting up with TPM2¶

This binds the unlock key to the specific TPM

Adding the Info to LUKS2 Header:

systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 /dev/sda5

Modifying the crypttab:

>>> cat /etc/crypttab
myvolume /dev/sda5 - tpm2-device=auto

Setting Up a Recovery Key¶

systemd-cryptenroll --recovery-key /dev/sda5