[Bug 1980018] Re: Cryptsetup-initramfs cant deal with tpm2-device option
Christopher Hall
1980018 at bugs.launchpad.net
Fri Sep 9 13:58:30 UTC 2022
>It does degrade security compared to passphrase-based encryption.
So does allowing luks key retrieval from other volumes, like network,
block devices, or USB keys, which have been mainstays for years. The
odds someone is going to just walk off with your decryption keys when
they are stored in a processor embedded tpm2 (intel Gen 8 or higher) is
very very low. That usb or disk drive could easily grow legs and suffers
the same vulnerabilities described above.
Ranting aside, I tried wmcelderry's patches today on a fresh 22.04 host.
Looks like about 10 lines of code in two files to get the tpm2-device
option working and an initramfs hook. It works well. I can reboot and
watch it fetch the systemd-cryptenrolled key off the tpm2 and unlock
itself. I did install the compiled systemd with tpm2 packages, but I
think 22.04 has all of that working alredy so that may have been
unneccesary. Thanks for putting that together
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to cryptsetup in Ubuntu.
https://bugs.launchpad.net/bugs/1980018
Title:
Cryptsetup-initramfs cant deal with tpm2-device option
Status in cryptsetup package in Ubuntu:
Confirmed
Bug description:
In order to boot an encrypted system and autounlock with tpm2, the
tpm2-device= option must be specified in /etc/crypttab. This works
for non-root filesystems for some reason, but when applied to root
filesystems it doesnt. Tested working on both arch and fedora, so the
method is good, something is off in the background.
root at test:~# update-initramfs -u
update-initramfs: Generating /boot/initrd.img-5.15.0-40-generic
cryptsetup: WARNING: sda3_crypt: ignoring unknown option 'tpm2-device'
Manually adding it to /lib/cryptsetup/functions produces this
root at test:~# update-initramfs -u
update-initramfs: Generating /boot/initrd.img-5.15.0-40-generic
/usr/share/initramfs-tools/hooks/cryptroot: 1: eval: CRYPTTAB_OPTION_tpm2-device=auto: not found
That file belongs to cryptsetup-initramfs
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/1980018/+subscriptions
More information about the foundations-bugs
mailing list