On Tue, Dec 22, 2020, 12:59 AM Gordon Messmer <gordon.messmer@xxxxxxxxx> wrote:
https://blog.dowhile0.org/2017/10/18/automatic-luks-volumes-unlocking-using-a-tpm2-chip/
The use of clevis to bind a LUKS volume to a TPM2 device isn't very well
documented, but a few articles and blogs provide working examples for a
single LUKS volume:
"clevis luks bind -d /dev/sda3 tpm2 '{"pcr_ids":"7"}'"
Does anyone know if it's possible to bind two volumes and unlock them
both at boot, using the TPM2 device?
Lennart was working on this a while ago in systemd. I'm not sure how far along it is. Could git clone it and then:
git log --grep=TPM2
I'm not sure how to do case insensitive with git's grep. I know he was also working on security key support for sd-homed and possible sd-cryptsetup.
Anyway, this is something Workstation WG has been looking at in particular for encrypting system root. That way a user entered passphrase isnt needed to boot. And the user login passphrase unlocks just that user's home.
--
Chris Murphy
_______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
