Announcement

Collapse
No announcement yet.

Systemd 248 To Allow Unlocking Encrypted Volumes Via TPM2 / FIDO2 / PKCS#11 Hardware

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Systemd 248 To Allow Unlocking Encrypted Volumes Via TPM2 / FIDO2 / PKCS#11 Hardware

    Phoronix: Systemd 248 To Allow Unlocking Encrypted Volumes Via TPM2 / FIDO2 / PKCS#11 Hardware

    For those with TPM2 security chips in your system or various hardware security tokens like YubiKeys, the upcoming systemd 248 will make it much easier to use then for unlocking your encrypted LUKS2 volumes...

    http://www.phoronix.com/scan.php?pag...lock-Encrypted

  • #2
    This was the winning application for this type of full disk encryption from the start, thank God (and Lennart's crew) it's finally a thing.

    Comment


    • #3
      How can this be used for full disk encryption? Since this is in systemd shouldn't it be loaded after the root partition is mounted?, If I got it right it requires /etc/crypttab which should be inaccessible until root decryption

      If someone knows more please let me know

      Comment


      • #4
        Originally posted by Mani View Post
        How can this be used for full disk encryption? Since this is in systemd shouldn't it be loaded after the root partition is mounted?, If I got it right it requires /etc/crypttab which should be inaccessible until root decryption

        If someone knows more please let me know
        I would imagine it can be part of initramfs, just like cryptsetup today.

        Comment


        • #5
          Lennart's blog post, like most everything he writes about systemd, reads like a very strong advertisement for using sysvinit or runit or openrc or s6.

          Comment


          • #6
            Well that's long overdue! Can't wait, really.

            Comment


            • #7
              Originally posted by Mani View Post
              How can this be used for full disk encryption? Since this is in systemd shouldn't it be loaded after the root partition is mounted?, If I got it right it requires /etc/crypttab which should be inaccessible until root decryption

              If someone knows more please let me know
              Two part loader. First a key unlocks the master key stored the TPM or hardware dongle. From there the support software unlocks the rest of the drive with the unlocked master key. It's not that much different in software that allows changing passwords while still maintaining the integrity of the encrypted file contents. It's the same thing that happens when you press your finger on a fingerprint sensor on a phone. That data is used to unlock the master key which never changes and then unlocks your device and the encrypted data stored on the flash memory. Your fingerprint by itself is not the complete key otherwise adding your other fingers to unlock the device wouldn't work.

              The other way is unattended host encryption and is used to prevent theft of cold data rather than preventing whole device theft. The TPM checks to be sure it's in the specifically correct host, then it unlocks the master key which becomes available to the higher level software stack boot loader to unlock the rest of the data and continue the boot process.

              Edit to add: SystemD needs to also be TPM aware because it can also mount encrypted devices after the boot process and in high security but otherwise unattended environments, it needs to be able to read a FIDO key or TPM on the host itself to unlock the device-locked storage bypassing the need for fallible passwords (and human memory).
              Last edited by stormcrow; 13 January 2021, 08:32 PM.

              Comment


              • #8
                Originally posted by andyprough View Post
                Lennart's blog post, like most everything he writes about systemd, reads like a very strong advertisement for using sysvinit or runit or openrc or s6.
                Why? Care few more words to explain your point or just the lack of sex in your life?
                Here's your feed buddy...

                Comment


                • #9
                  Originally posted by Mani View Post
                  How can this be used for full disk encryption? Since this is in systemd shouldn't it be loaded after the root partition is mounted?, If I got it right it requires /etc/crypttab which should be inaccessible until root decryption

                  If someone knows more please let me know
                  Full disk encryption (for disks that contain the /) won't be using crypttab with "legacy" non-systemd solutions either. You'll need to provide the key before the / is even mountable. It's done in initramfs.

                  Comment


                  • #10
                    This is nice, but i am missing one more usecase: hardware dongles can be stolen. Use of hardware dongle as a second factor is also a desirable usecase.

                    Comment

                    Working...
                    X