[dm-crypt] [TrouSerS-users] TPM support for LUKS partitions

Olga Chen olgagel at gmail.com
Sat Jan 5 16:02:01 CET 2013


Very excited to see this! Since I've been working on something similar for cryptsetup, I am looking forward to trying this out. It is also great to hear that this works with TrustedGrub. Since TrustedGrub is based on Grub 0.97 (and is not compatible with Grub 2), I've  been installing Fedora 15 and then upgrading to Fedora 16 and then 17. It's tedious but it worked for me. I would be interested if someone has a better way of doing this. 
Again - thanks for tpm-luks!

On Nov 27, 2012, at 20:45, Kent Yoder <shpedoikal at gmail.com> wrote:

> Hi,
> 
>  I've put together some scripts and utilities [1] to allow storing a
> LUKS secret in TPM NVRAM.  This is different than securing your secret
> by encrypting it with a TPM key in that there's no separate key blob
> to manage. The key data is written directly into TPM NVRAM, r/w
> protected by your password (and optionally TPM PCR state).  Note that
> there's a limit to the space you'll have in NVRAM depending on your
> TPM's vendor.
> 
> You can use the tpm-luks package to:
> - create a new secret, insert it into the TPM and add it to a LUKS key slot
> - open a LUKS device using a TPM secret for auth
> - kill a LUKS key slot using a TPM secret for auth
> - unlock your rootfs at boot using a TPM secret for auth (tested on
> RHEL6 and Fedora 17)
> - bind the secret to a trusted grub-based root of trust
> - migrate the secret from one root of trust to a new one (tested on RHEL6)
> - support for a custom root of trust including migration
> 
> Please give it a try, I'm interested in general user feedback, bug
> reports, code reviews, design reviews, flames, etc.
> 
> Also if you're a developer and willing to contribute, I'm particularly
> interested in code to support non-redhat distros' initramfs formats
> and migrate secrets to new roots of trust.
> 
> Thanks,
> Kent
> 
> [1] git://github.com/shpedoikal/tpm-luks.git
> 
> ------------------------------------------------------------------------------
> Keep yourself connected to Go Parallel: 
> INSIGHTS What's next for parallel hardware, programming and related areas?
> Interviews and blogs by thought leaders keep you ahead of the curve.
> http://goparallel.sourceforge.net
> _______________________________________________
> TrouSerS-users mailing list
> TrouSerS-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/trousers-users


More information about the dm-crypt mailing list