Hi, I've put together some scripts and utilities [1] to allow storing a LUKS secret in TPM NVRAM. This is different than securing your secret by encrypting it with a TPM key in that there's no separate key blob to manage. The key data is written directly into TPM NVRAM, r/w protected by your password (and optionally TPM PCR state). Note that there's a limit to the space you'll have in NVRAM depending on your TPM's vendor. You can use the tpm-luks package to: - create a new secret, insert it into the TPM and add it to a LUKS key slot - open a LUKS device using a TPM secret for auth - kill a LUKS key slot using a TPM secret for auth - unlock your rootfs at boot using a TPM secret for auth (tested on RHEL6 and Fedora 17) - bind the secret to a trusted grub-based root of trust - migrate the secret from one root of trust to a new one (tested on RHEL6) - support for a custom root of trust including migration Please give it a try, I'm interested in general user feedback, bug reports, code reviews, design reviews, flames, etc. Also if you're a developer and willing to contribute, I'm particularly interested in code to support non-redhat distros' initramfs formats and migrate secrets to new roots of trust. Thanks, Kent [1] git://github.com/shpedoikal/tpm-luks.git _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
