Difference between revisions of "Linux: Full Disk Encryption"

From fit-PC wiki
Jump to: navigation, search
(Overview)   (change visibility)
(List of tested devices)   (change visibility)
 
(16 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
== Overview ==
 
== Overview ==
This guide explains how to make your personal data secure by encrypting your Linux root filesystem using strong cryptography
+
The idea is to encrypt a partition with root filesystem using LUKS and store the keys in the TPM.<br>
* Linux Unified Key Setup (LUKS) - is the standard for Linux hard disk encryption
+
During boot user does not have to enter a decryption password, partition will be automatically decrypted using the keys from TPM.<br>
* Trusted Platform Module (TPM) - is dedicated micro-controller designed to secure hardware through integrated cryptographic keys
+
It's a open-source alternative to Windows BitLocker.
The idea is encrypt partition with root filesystem and store the keys in TPM chip. Then, on boot, encrypted partition will be automatically decrypted.
+
 
 +
* LUKS (Linux Unified Key Setup) - is a full volume encryption feature, the standard for Linux hard disk encryption
 +
* TPM (Trusted Platform Module) - is dedicated micro-controller designed to secure hardware through integrated cryptographic keys
  
 
== List of tested devices ==
 
== List of tested devices ==
 
The guide was tested on a system with the specs listed below, but should be easily adaptable.
 
The guide was tested on a system with the specs listed below, but should be easily adaptable.
  
* Device: fitlet2
+
Device: fitlet2
* OS: Debian GNU/Linux testing (buster)
+
OS: Debian GNU/Linux buster
* ISO: debian-buster-DI-rc2-amd64-netinst.iso
+
ISO: debian-buster-DI-rc2-amd64-netinst.iso
* Kernel: 4.19.0-5-amd64
+
Kernel: 4.19.0-5-amd64
* BIOS: 09/17/2018 American Megatrends Inc. FLT2.0.46.01.00
+
BIOS: 09/17/2018 American Megatrends Inc. FLT2.0.46.01.00
* TPM: Firmware based TPM 2.0 implementation
+
TPM: Firmware based TPM 2.0 implementation (fTPM)
 +
Clevis: 11-2
 +
 
 +
Device: fitlet2
 +
OS: Debian GNU/Linux bullseye
 +
ISO: debian-bullseye-DI-rc2-amd64-netinst.iso
 +
Kernel: 5.6.0-1-amd64
 +
BIOS: 09/17/2018 American Megatrends Inc. FLT2.0.46.01.00
 +
TPM: Firmware based TPM 2.0 implementation (fTPM)
 +
Clevis: 13-1
 +
 
 +
== Installation ==
 +
* Follow the standard installation procedure - choose timezone, hostname, username, password etc.
 +
* In the "Partition disks" dialog you can choose automatic or manual partitioning scheme
 +
** Automatic - select "Guided - use entire disk and set up encrypted LVM"
 +
*** Partitions scheme will be defined automatically
 +
*** You will be asked to enter passphrase for encryption
 +
** Manual (advanced) , for example:
 +
*** #1, size 200.0 MB, use as "EFI System Partition"
 +
*** #2, size 300.0 MB, use as "EXT4 journaling file system", mount point /boot
 +
*** #3, size 3.0 GB, use as "physical volume for encryption"
 +
*** Go to the "Configuring encrypted volumes" and select partition #3 as device to be encrypted
 +
*** You will be asked to enter passphrase for encryption
 +
*** In the "Partition disks" find new appeared encrypted volume #1, use it as "EXT4 journaling file system", mount point /
 +
* Continue with package manager, software selection etc.
 +
* Disconnect the installation media and reboot
 +
* You will be asked for passphrase of encrypted disk, enter it manually, then boot process will continue
 +
* Login using previously selected username and password.
 +
 
 +
* NOTE: The PATH definition in the /etc/profile should be fixed:
 +
# /etc/profile: system-wide .profile file for the Bourne shell (sh(1))
 +
# and Bourne compatible shells (bash(1), ksh(1), ash(1), ...).
 +
 +
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
 +
export PATH
 +
...
 +
 
 +
== Automated Decryption ==
 +
* Clevis is a framework for automated decryption of data or automated unlocking of LUKS volumes.
 +
$ su
 +
Password:
 +
$ apt install clevis-tpm2 clevis-luks clevis-dracut
 +
 
 +
* NOTE: current version of clevis-dracut (11-2) requires patch to work correctly in Debian:
 +
<pre>
 +
--- /usr/lib/dracut/modules.d/60clevis/module-setup.sh.orig 2019-03-01 12:37:24.000000000 +0200
 +
+++ /usr/lib/dracut/modules.d/60clevis/module-setup.sh 2019-07-01 13:47:48.341990143 +0300
 +
@@ -36,9 +36,7 @@
 +
    inst_hook initqueue/settled 60 "$moddir/clevis-hook.sh"
 +
 +
    inst_multiple /etc/services \
 +
-        clevis-decrypt-http \
 +
-        clevis-decrypt-tang \
 +
-        clevis-decrypt-sss \
 +
+ cryptsetup \
 +
        /usr/lib/x86_64-linux-gnu/clevis-luks-askpass \
 +
        clevis-decrypt \
 +
        luksmeta \
 +
@@ -46,11 +44,16 @@
 +
        mktemp \
 +
        curl \
 +
        jose \
 +
-        socat
 +
+        socat \
 +
+ /usr/lib/x86_64-linux-gnu/libtss2-tcti-device.so.0 \
 +
+ /usr/lib/x86_64-linux-gnu/libtss2-tcti-device.so.0.0.0 \
 +
+ /usr/lib/x86_64-linux-gnu/libtss2-tcti-mssim.so.0 \
 +
+ /usr/lib/x86_64-linux-gnu/libtss2-tcti-mssim.so.0.0.0
 +
 +
    for cmd in clevis-decrypt-tpm2 \
 +
tpm2_createprimary \
 +
tpm2_unseal \
 +
+ tpm2_pcrlist \
 +
tpm2_load; do
 +
 +
if ! find_binary "$cmd" &>/dev/null; then
 +
@@ -62,6 +65,7 @@
 +
inst_multiple clevis-decrypt-tpm2 \
 +
    tpm2_createprimary \
 +
    tpm2_unseal \
 +
+     tpm2_pcrlist \
 +
    tpm2_load
 +
    fi
 +
</pre>
 +
* Download and apply the patch:
 +
$ wget https://fit-iot.com/files/download/fitlet2/sw/tools/Linux-ftpm2.0/module-setup.sh.diff
 +
$ patch -p1 /usr/lib/dracut/modules.d/60clevis/module-setup.sh module-setup.sh.diff
 +
* Regenerate the iniramfs image with clevis modules to decrypt the root filesystem during early boot. You need to do this once:
 +
$ dracut -f /boot/initrd.img-$(uname -r)
 +
 
 +
* Test the TPM encryption module, the following example encrypts the words “Hello World!” and writes them to test.txt. Give it a try!
 +
$ echo Hello World! | clevis encrypt tpm2 '{}' > test.txt
 +
$ cat test.txt
 +
eyJhbGciOiJkaXIiLCJjbGV2aXMiOnsicGluIjoidHBtMiIsInRwbTIiOnsiaGFzaCI6InNoYTI
 +
...
 +
$ cat test.txt | clevis decrypt tpm2
 +
Hello World!
 +
* Bind master key generated by TPM to the LUKS volume.  For this there is a specific set of Platform Configuration Registers (PCR) called PCR7.
 +
# Review information about the cryptographic setup of encrypted partition:
 +
$ cryptsetup luksDump /dev/sda3
 +
 +
$ clevis luks bind -d /dev/sda3 tpm2 '{"pcr_ids":"7"}'
 +
Enter existing LUKS password: ******
 +
 +
# Review information about the cryptographic setup again, check if the new key has been written to the LUKS volume:
 +
$ cryptsetup luksDump /dev/sda3
 +
 
 +
* Restart your machine, encrypted disk will be decrypted automatically and you will reach the login prompt
 +
$ reboot
 +
 
 +
== See also ==
 +
* Original article: [https://techrevelations.de/2019/02/04/tpm-encryption-in-fedora-linux/ TPM Encryption in Fedora]
 +
<br>
 +
 
 +
[[category:software]]
 +
[[category:Application notes]]
 +
[[category:fitlet2]]

Latest revision as of 10:12, 20 May 2020

Overview

The idea is to encrypt a partition with root filesystem using LUKS and store the keys in the TPM.
During boot user does not have to enter a decryption password, partition will be automatically decrypted using the keys from TPM.
It's a open-source alternative to Windows BitLocker.

  • LUKS (Linux Unified Key Setup) - is a full volume encryption feature, the standard for Linux hard disk encryption
  • TPM (Trusted Platform Module) - is dedicated micro-controller designed to secure hardware through integrated cryptographic keys

List of tested devices

The guide was tested on a system with the specs listed below, but should be easily adaptable.

Device: fitlet2
OS: Debian GNU/Linux buster
ISO: debian-buster-DI-rc2-amd64-netinst.iso
Kernel: 4.19.0-5-amd64
BIOS: 09/17/2018 American Megatrends Inc. FLT2.0.46.01.00
TPM: Firmware based TPM 2.0 implementation (fTPM)
Clevis: 11-2
Device: fitlet2
OS: Debian GNU/Linux bullseye
ISO: debian-bullseye-DI-rc2-amd64-netinst.iso
Kernel: 5.6.0-1-amd64
BIOS: 09/17/2018 American Megatrends Inc. FLT2.0.46.01.00
TPM: Firmware based TPM 2.0 implementation (fTPM)
Clevis: 13-1

Installation

  • Follow the standard installation procedure - choose timezone, hostname, username, password etc.
  • In the "Partition disks" dialog you can choose automatic or manual partitioning scheme
    • Automatic - select "Guided - use entire disk and set up encrypted LVM"
      • Partitions scheme will be defined automatically
      • You will be asked to enter passphrase for encryption
    • Manual (advanced) , for example:
      • #1, size 200.0 MB, use as "EFI System Partition"
      • #2, size 300.0 MB, use as "EXT4 journaling file system", mount point /boot
      • #3, size 3.0 GB, use as "physical volume for encryption"
      • Go to the "Configuring encrypted volumes" and select partition #3 as device to be encrypted
      • You will be asked to enter passphrase for encryption
      • In the "Partition disks" find new appeared encrypted volume #1, use it as "EXT4 journaling file system", mount point /
  • Continue with package manager, software selection etc.
  • Disconnect the installation media and reboot
  • You will be asked for passphrase of encrypted disk, enter it manually, then boot process will continue
  • Login using previously selected username and password.
  • NOTE: The PATH definition in the /etc/profile should be fixed:
# /etc/profile: system-wide .profile file for the Bourne shell (sh(1))
# and Bourne compatible shells (bash(1), ksh(1), ash(1), ...).

PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
export PATH
...

Automated Decryption

  • Clevis is a framework for automated decryption of data or automated unlocking of LUKS volumes.
$ su
Password:
$ apt install clevis-tpm2 clevis-luks clevis-dracut
  • NOTE: current version of clevis-dracut (11-2) requires patch to work correctly in Debian:
--- /usr/lib/dracut/modules.d/60clevis/module-setup.sh.orig	2019-03-01 12:37:24.000000000 +0200
+++ /usr/lib/dracut/modules.d/60clevis/module-setup.sh	2019-07-01 13:47:48.341990143 +0300
@@ -36,9 +36,7 @@
     inst_hook initqueue/settled 60 "$moddir/clevis-hook.sh"
 
     inst_multiple /etc/services \
-        clevis-decrypt-http \
-        clevis-decrypt-tang \
-        clevis-decrypt-sss \
+	cryptsetup \
         /usr/lib/x86_64-linux-gnu/clevis-luks-askpass \
         clevis-decrypt \
         luksmeta \
@@ -46,11 +44,16 @@
         mktemp \
         curl \
         jose \
-        socat
+        socat \
+	/usr/lib/x86_64-linux-gnu/libtss2-tcti-device.so.0 \
+	/usr/lib/x86_64-linux-gnu/libtss2-tcti-device.so.0.0.0 \
+	/usr/lib/x86_64-linux-gnu/libtss2-tcti-mssim.so.0 \
+	/usr/lib/x86_64-linux-gnu/libtss2-tcti-mssim.so.0.0.0
 
     for cmd in clevis-decrypt-tpm2 \
 	tpm2_createprimary \
 	tpm2_unseal \
+	tpm2_pcrlist \
 	tpm2_load; do
 
 	if ! find_binary "$cmd" &>/dev/null; then
@@ -62,6 +65,7 @@
 	inst_multiple clevis-decrypt-tpm2 \
 	    tpm2_createprimary \
 	    tpm2_unseal \
+	    tpm2_pcrlist \
 	    tpm2_load
     fi
  • Download and apply the patch:
$ wget https://fit-iot.com/files/download/fitlet2/sw/tools/Linux-ftpm2.0/module-setup.sh.diff
$ patch -p1 /usr/lib/dracut/modules.d/60clevis/module-setup.sh module-setup.sh.diff
  • Regenerate the iniramfs image with clevis modules to decrypt the root filesystem during early boot. You need to do this once:
$ dracut -f /boot/initrd.img-$(uname -r)
  • Test the TPM encryption module, the following example encrypts the words “Hello World!” and writes them to test.txt. Give it a try!
$ echo Hello World! | clevis encrypt tpm2 '{}' > test.txt
$ cat test.txt
eyJhbGciOiJkaXIiLCJjbGV2aXMiOnsicGluIjoidHBtMiIsInRwbTIiOnsiaGFzaCI6InNoYTI
...
$ cat test.txt | clevis decrypt tpm2
Hello World!
  • Bind master key generated by TPM to the LUKS volume. For this there is a specific set of Platform Configuration Registers (PCR) called PCR7.
# Review information about the cryptographic setup of encrypted partition:
$ cryptsetup luksDump /dev/sda3

$ clevis luks bind -d /dev/sda3 tpm2 '{"pcr_ids":"7"}'
Enter existing LUKS password: ******

# Review information about the cryptographic setup again, check if the new key has been written to the LUKS volume:
$ cryptsetup luksDump /dev/sda3
  • Restart your machine, encrypted disk will be decrypted automatically and you will reach the login prompt
$ reboot

See also