New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
LUKS encrypted disk and TPM2 #34
Comments
@moonwolf-github as long as you have the tpm2-tools and clevis projects installed and support for the TPM device (tpm driver and in-kernel resource manager) in the other source (disk or pendrive), yes. There's a Now, if you seal against a PCR state (i.e: setting pcr_ids or pcr_digest in the JSON config), it may be different if you boot another media with a different kernel, command line parameters, etc depending on what's measured by your bootloader. But even in that case, you may be able to unlock it using the original LUKS master key in slot 0 since clevis does not remove that. |
So, it's imposible to protect encrypted disk from decryption? Thank you for information. |
@moonwolf-github it depends on your threat model. The tpm2 pin says the following in its man page:
So just using the clevis tpm2 pin protects you from someone stealing an encrypted disk from a physical machine or a guest VM from a host. But it doesn't protect from someone stealing a laptop for example and get access to both the encrypted media and the tpm2 device. For the latter case, the disk should also be bound to something that won't be accessible by the attacker. For example using the Shamir Shared Secret pin and splitting the key in two parts and use both the tpm2 and the tang server to store those parts. |
That explained everything to me, thank you again! |
@moonwolf-github you are welcome! |
I'm struggling with clevis 9 on CentOS7 right now (with some success) but some question is bothering me: i want to automatically boot host with luks-encrypted disk using TPM2. According to README it is possible. But will i be able to unencrypt this disk on same host booted from other source (other disk, pendrive)?
The text was updated successfully, but these errors were encountered: