Fedora Workstation includes systemd-cryptenroll by default which makes adding alternative methods for unlocking LUKS partitions fairly straight forward. This article shows how to use either a TPM2 chip or a FIDO U2F security key as an alternative factor to the passphrase when unlocking your LUKS partitions.
Previous Articles
A TPM2 chip is a little piece of storage with secure APIs where you can store secrets protected by Secure Boot. Secure Boot establishes a chain of trust by computing hashes based on, for example, hardware or software components. This way you can store a LUKS decryption key which is only accessible if the system is in a non-tampered state (in theory). Unfortunately, this means you’ll want to measure things like your initramfs and kernel into this state which means invalidating this factor every time you do a system upgrade. FIDO U2F keys do not suffer from this problem as they are not tied to the hardware platform.
Check out my previous article about using an integrated TPM2 secure storage device to learn more in-depth specifics about how TPM2-based unlocking works and its security implications.
The previous article, however, uses clevis which adds additional dependencies and has a more complex interface than using the already present systemd-cryptenroll.
A FIDO2 or FIDO U2F compliant key is an external storage device with secure APIs for storing and retrieving secrets. These keys can be used as a second- or sole-factor in authentication flows. Secrets never leave the device and verification is done on the client. So attack scenarios like fishing are mitigated by design as compared to other MFA (multi-factor authentication) technologies like TOTP (time-based one time passwords).
A previous post about FIDO U2F / FIDO2 keys here on Fedora Magazine showed how to set up those keys for Linux PAM authentication – primarily sudo and GNOME login.
(Maybe) Get rid of clevis
Assuming you followed the previous post on using TPM2 you might want to unbind and remove clevis before proceeding with systemd-cryptenroll. Otherwise just skip this section.
First, remove any TPM2 binding from the LUKS secrets slots. Beware: do not remove slot 0 as it contains the passphrase binding!
$ sudo clevis luks list -d /dev/nvme0n1p3 ... Slot 1 (or whichever is your TPM2 binding) ... $ sudo clevis luks unbind -d /dev/nvme0n1p3 -s 1
Now remove the clevis packages.
sudo dnf remove -y clevis clevis-luks clevis-dracut clevis-udisks2 clevis-systemd
Choose TPM2 or FIDO as an alternative decryption method
The following steps are required for both methods. Choose one to your liking.
- Add the corresponding dracut module so support is available in the initramfs at boot
- Enroll / bind a LUKS secret slot tied to either the TPM2 or the FIDO key
- Update /etc/crypttab with the new configuration
- Rebuild the initramfs to apply the changes
It is important to run dracut last to not only include new dependencies but also your updated crypttab in the initramfs.
Use systemd-cryptenroll with a FIDO U2F key
Add the fido2 dracut module to your dracut configuration.
$ echo "add_dracutmodules+=" fido2 "" | sudo tee /etc/dracut.conf.d/fido2.conf add_dracutmodules+=" fido2 "
Now enroll the FIDO key with your LUKS partition as an alternative decryption factor. See systemd-cryptenroll(1) for options to control features like touch or pin prompt. By default presence and pin are requested for enrollment and use.
sudo systemd-cryptenroll --fido2-device auto /dev/nvmen1p3
Update /etc/crypttab and append fido2-device=auto to the appropriate line’s options. A line in crypttab consists of four fields with the last one being a comma separated list.
Finally, rebuild your initramfs using dracut. The following command will rebuild your currently-booted initramfs slot.
sudo dracut -f
Don’t worry about the FIDO key not working or about losing it since the passphrase is still available as a fallback.
You’ll now be prompted at boot to enter the PIN of your FIDO key. Be aware that the PIN entry prompt looks exactly the same as the passphrase prompt. You will notice a difference only when using the terminal (which you can view by hitting the ESC key). After entering the correct PIN the hardware token will prompt you to touch it which (also) is not indicated on the prompt. If it does not prompt for a touch, then systemd-cryptenroll was not able to find a hardware token corresponding to the entered PIN.
Note: systemd-cryptenroll does not currently work with multiple connected hardware tokens.
Use systemd-cryptenroll with a TPM2 chip
Add the tpm2-tss module to your dracut configuration.
$ echo "add_dracutmodules+=" tpm2-tss "" | sudo tee /etc/dracut.conf.d/tpm2.conf add_dracutmodules+=" tpm2-tss "
Enroll the TPM2 chip as alternative decryption factor for your LUKS partition(s). The ‐‐wipe-slot tpm2 option ensures that after successful enrollment any previous bindings are removed. Use this command every time you need to update the binding.
sudo systemd-cryptenroll --wipe-slot tpm2 --tpm2-device auto --tpm2-pcrs "0+1+2+3+4+5+7+9" /dev/nvme0n1p3
Update /etc/crypttab and append tpm2-device=auto,tpm2-pcrs=0,1,2,3,4,5,7,9 to the appropriate line’s options, depending on the PCRs used. A line in crypttab consists of four fields with the last one being a comma separated list.
Last but not least, rebuild your initramfs using dracut. The following command will rebuild your currently booted initramfs slot.
sudo dracut -f
Alexander Wellbrock
Alex love for Free and Open Source Software ignited through his fascination of its design and principles. His private and professional lives are driven by the self-efficacy enabled through simple but beautiful, free and open systems. He is asking himself “How can we thrive through collaboration instead of competition?” and is certain the answer to this utilizes FOSS.
