| Message ID | 20240502093240.364093-9-Quirin.Gylstorff@siemens.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | Add option to encrypt the rootfs | expand |
On Thu, 2024-05-02 at 11:31 +0200, Quirin Gylstorff wrote: > From: Quirin Gylstorff <quirin.gylstorff@siemens.com> > > Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> > --- > doc/README.tpm2.encryption.md | 20 +++++++++++++++++--- > 1 file changed, 17 insertions(+), 3 deletions(-) > > diff --git a/doc/README.tpm2.encryption.md > b/doc/README.tpm2.encryption.md > index c5ac6c4..889c3ca 100644 > --- a/doc/README.tpm2.encryption.md > +++ b/doc/README.tpm2.encryption.md > @@ -4,6 +4,10 @@ By adding the recipe `initramfs-crypt-hook` to the > initramfs build user defined > encrypted during first boot. The encrypted partition is a LUKS > partition and uses a TPM to secure the > passphrase on the device. > > +> :exclamation:**IMPORTANT** > +> All selected partition are encrypted on first boot. In order to ------------------^ partitions > avoid the leakage of secrets > +> the disk encryption should occur in a secure environment. -------------------------^ should? I would be more strict and say "must". > + > ## Requirements > > Testing with qemu-amd64 requires the package `swtpm`. Under > Debian/Ubuntu this can be installed > @@ -38,12 +42,22 @@ The initramfs-crypt-hook recipe has the following > variables which can be overwri > ### CRYPT_PARTITIONS > > The variable `CRYPT_PARTITIONS` contains the information which > partition shall be encrypted where to mount it. > -Each entry uses the schema `<partition- > label>:<mountpoint>:<reencrypt or format>`. > -- The `partition-label` is used to identify the partition on the > disk > +Each entry uses the schema `<partition- > identifier>:<mountpoint>:<reencrypt or format>`. > +- The `partition-idenitifer` is used to identify the partition on > the disk, it can contain a partition label, partition UUID or > absolute path to the partition device, e.g. `/dev/sda`. > - The `mountpoint` is used mount the decrypted partition in the root > file system > - `reencrypt` uses `cryptsetup reencrypt` to encrypt the exiting > content of the partition. This reduces the partition by 32MB and the > file system by a similar amount > - `format` creates a empty LUKS partition and creates a file system > defined with the shell command given in > `CRYPT_CREATE_FILE_SYSTEM_CMD` > > +#### Encrypted root file system > + > +To encrypt the root file system the variable `CRYPT_PARTITIONS` > needs to be set to: > +``` > +CRYPT_PARTITIONS = "${ABROOTFS_PART_UUID_A}::reencrypt > ${ABROOTFS_PART_UUID_B}::reencrypt" > +``` > +The mountpoint is empty as the root partition is mounted by another ---------------------------------------------------------------^ an instead of another. > initramfs service. > +Both partitions are encrypted during first boot. The initramfs opens -----------------------------------------------------------------^ hook Felix > `${ABROOTFS_PART_UUID_A}` and `${ABROOTFS_PART_UUID_B}` > +during boot. > + > ### CRYPT_CREATE_FILE_SYSTEM_CMD > > The variable `CRYPT_CREATE_FILE_SYSTEM_CMD` contains the command to > create a new file system on a newly > @@ -59,7 +73,7 @@ based encryption: > - jq > > ## steps to convert clevis to systemd > -The following script shows how to enroll a systemd-tpm2 token with a > existinng clevis based encryption: > +The following script shows how to enroll a systemd-tpm2 token with a > existing clevis based encryption: > ```bash > export device=/dev/sda6 > export keyslot=$(sudo cryptsetup luksDump "$device" --dump-json- > metadata | jq -c '.tokens.[] | select( .type == "clevis") | .keyslots > | first' | head -n1)
diff --git a/doc/README.tpm2.encryption.md b/doc/README.tpm2.encryption.md index c5ac6c4..889c3ca 100644 --- a/doc/README.tpm2.encryption.md +++ b/doc/README.tpm2.encryption.md @@ -4,6 +4,10 @@ By adding the recipe `initramfs-crypt-hook` to the initramfs build user defined encrypted during first boot. The encrypted partition is a LUKS partition and uses a TPM to secure the passphrase on the device. +> :exclamation:**IMPORTANT** +> All selected partition are encrypted on first boot. In order to avoid the leakage of secrets +> the disk encryption should occur in a secure environment. + ## Requirements Testing with qemu-amd64 requires the package `swtpm`. Under Debian/Ubuntu this can be installed @@ -38,12 +42,22 @@ The initramfs-crypt-hook recipe has the following variables which can be overwri ### CRYPT_PARTITIONS The variable `CRYPT_PARTITIONS` contains the information which partition shall be encrypted where to mount it. -Each entry uses the schema `<partition-label>:<mountpoint>:<reencrypt or format>`. -- The `partition-label` is used to identify the partition on the disk +Each entry uses the schema `<partition-identifier>:<mountpoint>:<reencrypt or format>`. +- The `partition-idenitifer` is used to identify the partition on the disk, it can contain a partition label, partition UUID or absolute path to the partition device, e.g. `/dev/sda`. - The `mountpoint` is used mount the decrypted partition in the root file system - `reencrypt` uses `cryptsetup reencrypt` to encrypt the exiting content of the partition. This reduces the partition by 32MB and the file system by a similar amount - `format` creates a empty LUKS partition and creates a file system defined with the shell command given in `CRYPT_CREATE_FILE_SYSTEM_CMD` +#### Encrypted root file system + +To encrypt the root file system the variable `CRYPT_PARTITIONS` needs to be set to: +``` +CRYPT_PARTITIONS = "${ABROOTFS_PART_UUID_A}::reencrypt ${ABROOTFS_PART_UUID_B}::reencrypt" +``` +The mountpoint is empty as the root partition is mounted by another initramfs service. +Both partitions are encrypted during first boot. The initramfs opens `${ABROOTFS_PART_UUID_A}` and `${ABROOTFS_PART_UUID_B}` +during boot. + ### CRYPT_CREATE_FILE_SYSTEM_CMD The variable `CRYPT_CREATE_FILE_SYSTEM_CMD` contains the command to create a new file system on a newly @@ -59,7 +73,7 @@ based encryption: - jq ## steps to convert clevis to systemd -The following script shows how to enroll a systemd-tpm2 token with a existinng clevis based encryption: +The following script shows how to enroll a systemd-tpm2 token with a existing clevis based encryption: ```bash export device=/dev/sda6 export keyslot=$(sudo cryptsetup luksDump "$device" --dump-json-metadata | jq -c '.tokens.[] | select( .type == "clevis") | .keyslots | first' | head -n1)