Make your backup key on removeable device (USB/MMC) , generate STRONG (BitLocker like 48-digit) recovery key, seal your key on TPM device and enjoy automatic unlocking of your Full Disk Encryption.
This tool is compatible with TPM version 1.2 and 2.
- Ubuntu dist.
tpm-toolspackage ortpm2-toolspackage (The package should be installed exclusively.)- TPM v1.2/v2.0 device/emulator
sudo ./install
# Options
# -u, --uninstall remove from your system.
# -p, --purge remove and delete /etc/default/luks-tpm-tools
# --pcrs <list> define your own TPM_PCRS (e.g. "0,2,4,7,9")You can test readability of your LUKS key in TPM device NVRAM or keyfile. (from terminal; This is actual script to read LUKS key during initramfs procedure.)
This command generates an auto unlock USB key. You don't need to enter long passphrase when you unlock your system (if TPM PCR failed) or run key_seal.
Generate strong recovery key. It looks similar with MS BitLocker's 48-digit (20 bytes) recovery password. If your LUKS passphrase length is shorter than 16, it is highly recommended to run at least once. Printed out and save it at physically safe place.
Entering Passphrase options when newly generate and seal the keyfile:
- (Automatic) use backup USB;
- (Manual) use recovery passphrase.
Keyfile will save at the NVRAM area in your TPM device (default).
However, if you set NVRAM="" as a default parameter in /etc/default/luks-tpm-tools, key_seal trying to use /boot partition to save keyfile as an encrypted form, instead of use NVRAM.
NVRAM (Non-Volatile RAM) semiconductors may damage the device if too many writes are performed, but there is little room for a big problem in LUKS key operation, which is mainly read after writing once.
NVRAM has a more security advantage of protecting the key by setting the READ_STCLEEAR flag to refuse to read again after being read once at boot time.