I am currently aware of two recent methods to bind a LUKS encrypted root partition to a TPM2:
systemd-cryptenroll and clevis. Both of them seem to release the encryption key after successfully checking the PCRs the key was sealed against.
But I don't like the idea of the volume being decrypted without user interaction. I'd rather have a solution like it is offered by BitLocker for Windows: Either TPM and an additional PIN or a recovery key.
Even though I searched the web quite exhaustively I was not able to find any hints in this direction. Is anybody aware of a solution?
EDIT: There is a --recovery-key option for systemd-cryptenroll. I'm only concerned with the question how to get an additional PIN requirement when using the TPM.
Asked by Simon
(195 rep)
May 9, 2021, 05:46 PM
Last activity: Jun 1, 2022, 07:06 AM
Last activity: Jun 1, 2022, 07:06 AM