The problem: Solus 4.7 and earlier currently uses LUKS1, to have TPM auto-unlock the LUKS partition it must be LUKS2.
🚨 Warning: Anytime you are performing operations like this, there is a risk. Please backup!!! Also, make sure you store your paraphrase somewhere. If a BIOS or other update causes a change in the key storage, you will need to know it.
Note: This is not a question of if you should or not. There are pros and cons to both.
Requirements:
- TPM 2.0
- UEFI Boot Mode
- Secure Boot enabled. To do this you can follow the official instructions here.
- Solus installed with Encryption
- Solus Live USB
Steps
1: Install TPM2 Tools
sudo eopkg install tpm2-tools
2: Get a list of your LUKS encrypted Device
sudo blkid -t TYPE=crypto_LUKS
This will return something similar to below. It may be different depending on hardware. It may be either 1 or 2 partitions depending on swap setup. These will be used in the example for the following steps.
💡 Take note of the dev paths as you will need these later.
/dev/nvme0n1p3: UUID="a483faec-3847-4fda-9981-##########" TYPE="crypto_LUKS" PARTUUID="14d4d993-b248-4ff9-bcaf-##########"
/dev/nvme0n1p2: UUID="a060f079-1c22-464d-8b92-##########" TYPE="crypto_LUKS" PARTLABEL="root" PARTUUID="4c2de92e-a594-4141-8437-##########"
3: Backup the LUKS headers.
I am using the example devices above.
sudo cryptsetup luksHeaderBackup /dev/nvme0n1p3 --header-backup-file ~/nvme0n1p3-header.bkp
sudo cryptsetup luksHeaderBackup /dev/nvme0n1p2 --header-backup-file ~/nvme0n1p2-header.bkp
4: Convert LUKS1 to LUKS2
- Reboot into the Solus Live USB.
- Open the terminal.
- run lsblk - In the device list you should see the partitions from the step above
- Convert the LUKS1 partition(s) to LUKS2 (cryptsetup convert --type luks2)
Just an FYI. The command shown below will complete fast after you type in YES and hit enter. There is no feedback, unless there was an issue. Run it for all LUKS devices.
sudo cryptsetup convert --type luks2 /dev/nvme0n1p3
sudo cryptsetup convert --type luks2 /dev/nvme0n1p2
- Reboot back into your Solus
5: Enrolling LUKS2 into TPM
- Open a terminal
- Using the commands below (using example devices above, yours may differ).
- You will be asked for the paraphrase for your LUKS encryption.
Command: sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+2+4+7+8+9 /dev/nvme0n1p3
Results Example:
sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+2+4+7+8+9 /dev/nvme0n1p3
🔐 Please enter current passphrase for disk /dev/nvme0n1p3: **********************************
New TPM2 token enrolled as key slot 1.
sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+2+4+7+8+9 /dev/nvme0n1p2
🔐 Please enter current passphrase for disk /dev/nvme0n1p2: **********************************
New TPM2 token enrolled as key slot 1.
6: Modify /etc/crypttab to tell the system to attempt unlocking with the TPM at boot.
sudo nano /etc/crypttab
- Change the ends of the lines for each LUKS encrypted partition from
luks-<uuid> UUID=<your-luks-partition-uuid> none luks (the part after the uuid may only be none for the first entry.
to
luks-<uuid> UUID=<your-luks-partition-uuid> - tpm2-device=auto,luks,discard
Note: The dash between the uuid and tpm2-device=auto,luks,discard is important!
If both completed successfully and you modified /etc/crypttab run:
sudo clr-boot-manager update
7: Reboot.
If everything went correctly, you should not need to enter your encryption paraphrase at boot.
Addendum
There is a chance that a bios or kernel update may reset some pieces. You will know as you will have to enter the paraphrase on that boot. If that happens, you do not need to run through the whole thing again.
Just perform step 5 again, folowed by sudo clr-boot-manager update , and reboot.
