Update: Starting with systemd version 248, TPM2 unlock support is built-in and it is much faster than clevis. Follow this guide to get it working.
A simple hook to unlock LUKS devices on boot using TPM and clevis.
Tested System:
- Manjaro Linux 20.2.1 with
systemd-bootandmkinitcpio.
- Install the following packages.
sudo pacman --needed -S clevis tpm2-tools luksmeta libpwquality
- Add
clevisbinding to your LUKS devicesudo clevis luks bind -d <device> tpm2 '{"pcr_ids":"0,1,2,3,4,5,6,7"}'
- Install the
clevishookNote: If you are usingsudo ./install.sh sudo vim /etc/mkinitcpio.conf # Edit the hooks and add clevis before the 'encrypt' hook. Eg: # HOOKS=(.. clevis encrypt ..)
plymouth, replace theplymouth-encrypthook withencrypt.plymouth-encryptis reported to be buggy when the device is already unlocked. More info. - Generate
initramfsimage.sudo mkinitcpio -P
- Reboot
If you have updated any of the settings in BIOS, changed anything in the kernel options, you have to recreate the clevis binding as TPM will not be able to unlock the device.
sudo clevis luks unbind -d <device> -s <slot-id> # slot-id is usually 1
sudo clevis luks bind -d <device> tpm2 '{"pcr_ids":"0,1,2,3,4,5,6,7"}'Usually unlocking fails only when any of the TPM registers were updated as part of a system configuration change. Try rebooting the system and re adding the clevis LUKS binding. In most cases this should fix the issue. Feel free to create an issue if your problem is not resolved.
Forked from arch-clevis by Andrei Costescu. I just simplified, fixed some bugs and added a clear readme.