[dm-crypt] TPM support for LUKS partitions

Kent Yoder shpedoikal at gmail.com
Wed Nov 28 02:45:47 CET 2012


  I've put together some scripts and utilities [1] to allow storing a
LUKS secret in TPM NVRAM.  This is different than securing your secret
by encrypting it with a TPM key in that there's no separate key blob
to manage. The key data is written directly into TPM NVRAM, r/w
protected by your password (and optionally TPM PCR state).  Note that
there's a limit to the space you'll have in NVRAM depending on your
TPM's vendor.

You can use the tpm-luks package to:
 - create a new secret, insert it into the TPM and add it to a LUKS key slot
 - open a LUKS device using a TPM secret for auth
 - kill a LUKS key slot using a TPM secret for auth
 - unlock your rootfs at boot using a TPM secret for auth (tested on
RHEL6 and Fedora 17)
 - bind the secret to a trusted grub-based root of trust
 - migrate the secret from one root of trust to a new one (tested on RHEL6)
 - support for a custom root of trust including migration

Please give it a try, I'm interested in general user feedback, bug
reports, code reviews, design reviews, flames, etc.

Also if you're a developer and willing to contribute, I'm particularly
interested in code to support non-redhat distros' initramfs formats
and migrate secrets to new roots of trust.


[1] git://github.com/shpedoikal/tpm-luks.git

More information about the dm-crypt mailing list