2

I have been searching the web to find a Linux distribution, preferrably a rolling release one as I'm otherwise hooked on the concepts in Arch Linux, with automated steps to setup full disk encryption (including the boot partition) using the TPM2 module to decrypt.

The packages seem to be there more or less, but the documentation of a step to step guide is really hard to come by.

Even the Arch Linux wiki for example, that usually is a great resource for step by step instructions that are really hard to follow https://wiki.archlinux.org/title/Trusted_Platform_Module .

There seem to be a lot of options, and therefore a potential for misconfiguration.

Are there any distributions out there that provides audited setup scripts, or even graphical user interfaces that helps ensure a correct setup?

tirithen
  • 121
  • 4
  • So you're asking whether there is no support for a **proprietary** hardware component in mostly open source operating systems? Think about it. – Sir Muffington Oct 29 '21 at 14:50
  • 4
    Yes: Ubuntu Core. https://ubuntu.com/tutorials/how-to-ubuntu-core-secure-boot-full-disk-encryption – A. Hersean Oct 29 '21 at 15:42
  • 3
    @SirMuffington By `proprietary`, I am assuming that you're also including hardware such as GPUs and certain RAID cards? – doneal24 Oct 29 '21 at 16:18
  • @SirMuffington A TPM is a standardized hardware component that makes perfect sense in a disc encryption set-up. – Robert Oct 29 '21 at 18:42
  • @AHersean thank you for the link, seems interesting for server setups with intel NUC boards. Might be useful next time I upgrade my file server. Seemed easy to follow. I'm hoping to find a similar guide for Linux desktop and laptop machines as well. – tirithen Oct 29 '21 at 21:33
  • 1
    @SirMuffington I was confused about the TPM module for a long time, until I started using disk encryption setups on and always got stuck on the issue that the boot partition was not possible to encrypt which leaves it open for manipulation. The TPM module helps preventing any undetected manipulation of the drives even if an attacker gets physical access to the device. It has a standard for it's interface even if not yet being 100% open, but as mentioned neither is the management engine, network firmware, gpu and more. Eventually they may be, but until then I need my data as safe as possible. – tirithen Oct 29 '21 at 21:42
  • 3
    Chromebook has File Based Encryption and Verified Boot 2.0 backed by TPM. – defalt Oct 30 '21 at 12:17

1 Answers1

0

Red Hat Enterprise Linux: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/configuring-automated-unlocking-of-encrypted-volumes-using-policy-based-decryption_security-hardening

The above should work on Fedora 34+ but there is also a newer systemd approach: http://0pointer.net/blog/unlocking-luks2-volumes-with-tpm2-fido2-pkcs11-security-hardware-on-systemd-248.html

And in Fedora 36 there are improvements expected based on: https://mirrors.edge.kernel.org/pub/linux/utils/cryptsetup/v2.4/v2.4.0-rc0-ReleaseNotes

credit: Ondrej Kozina

P.S. I'm still trying to figure out how secure that is, see my question Can TPM2 disk encryption protect data after full server theft?

akostadinov
  • 555
  • 3
  • 8