Binding LUKS with TPM

In this blog post, we’ll explore how to bind LUKS encryption to a TPM using the Clevis tool on Linux. We’ll provide technical details and a step-by-step guide for using Clevis to create a TPM-bound PIN and encrypt the LUKS key, as well as an explanation of what PCR IDs are and how they’re used in the process.

So, let’s get started! First, we’ll take a closer look at what Clevis is and how it works with LUKS encryption and TPMs.

Clevis is an open-source software tool that provides a framework for automating the encryption of data using different security policies. Clevis can be used to bind LUKS encryption to a TPM, making it a powerful tool for enhancing the security of Linux systems.

Clevis works by creating a “PIN” that is stored in the TPM and used to encrypt the LUKS key. When the system is booted, Clevis retrieves the PIN from the TPM and uses it to decrypt the LUKS key, allowing the device to be unlocked.

One of the benefits of using Clevis is that it allows for flexible policy-based encryption. Clevis can be configured to use different policies, such as requiring a network-based “tang” server for PIN retrieval, or using a passphrase-based policy as a fallback.

In the next section, we’ll provide a step-by-step guide for using Clevis to bind LUKS encryption to a TPM and encrypt the LUKS key.

Step-by-Step Guide to Binding LUKS Encryption to TPM using Clevis:

  1. Install Clevis and the LUKS encryption tools on your Linux system using your distribution’s package manager. For example, on Ubuntu, you can use the following command:
sudo apt-get install clevis clevis-luks
  1. Create a new LUKS-encrypted partition or device using the cryptsetup command. For example, to create a new encrypted partition on /dev/sda1, you can use the following command:
sudo cryptsetup luksFormat /dev/sda1
  1. Open the LUKS-encrypted device using the cryptsetup command and create a new mapper device. For example, to open the encrypted partition on /dev/sda1 and create a new mapper device named encrypted_device, you can use the following command:
sudo cryptsetup open /dev/sda1 encrypted_device
  1. Create a new Clevis pin that is bound to the TPM using the clevis luks bind command. This will create a new PIN and store it in the TPM. For example, to create a new TPM-bound PIN and bind it to the LUKS device, you can use the following command:
sudo clevis luks bind -d /dev/mapper/encrypted_device tpm2 '{"pcr_ids":"0,1,2,3,4,5,6,7"}'

This command will bind the LUKS device to PCR IDs 0-7, which are commonly used for boot measurements. We’ll explain what PCR IDs are in the next section.

  1. Update the LUKS key slot with the new PIN using the cryptsetup command. For example, to update the key slot for the mapper device encrypted_device with the new PIN, you can use the following command:
sudo cryptsetup luksChangeKey /dev/mapper/encrypted_device -S 1

This will prompt you to enter the existing passphrase, followed by the new TPM-bound PIN.

  1. Close the mapper device using the cryptsetup command. For example, to close the mapper device encrypted_device, you can use the following command:
sudo cryptsetup close encrypted_device

That’s it! Your LUKS-encrypted device is now bound to the TPM using Clevis. The next time you boot your system, Clevis will retrieve the PIN from the TPM and use it to decrypt the LUKS key, allowing the device to be unlocked.

What are PCR IDs?

PCR stands for Platform Configuration Register, which is a set of read-only registers that are used to store platform measurements. These measurements include information such as the firmware version, bootloader configuration, and kernel configuration. PCR IDs are used to identify specific registers within the PCR.

In the context of TPM-bound LUKS encryption, PCR IDs are used to bind the LUKS device to specific platform measurements. When the system is booted, Clevis retrieves the measurements associated with the PCR IDs and compares them to the expected values. If the measurements match the expected values, the TPM-bound PIN is retrieved and used to decrypt the LUKS key.

PCR IDs are an important aspect of the security of TPM-bound LUKS encryption, as they ensure that the system is booted in a trusted state before allowing access to sensitive data. When choosing which PCR IDs to use for binding LUKS encryption, it’s important to select measurements that are unlikely to change during normal system operation, but may change if the system is compromised. Commonly used PCR IDs include those associated with the firmware, bootloader, and kernel configuration.

In TPM 2.0, there are 24 Platform Configuration Registers (PCRs), numbered from 0 to 23. Each PCR contains a set of read-only registers that store platform measurements. The measurements stored in each PCR are typically used to establish the integrity of the boot process and the state of the system at a given point in time.

The most commonly used PCR IDs are 0-7, which are used to store measurements related to the boot process, including firmware, bootloader, and kernel configuration. PCR IDs 8-15 are typically used for specific platform components or applications, such as the system management mode (SMM) or the hypervisor. PCR IDs 16-23 are available for use by the platform manufacturer or system administrator for custom measurements.

Here’s a brief summary of the most commonly used PCR IDs:

  • PCR 0: Contains measurements related to the firmware, including the firmware vendor, version, and release date.
  • PCR 1: Contains measurements related to the platform configuration, including the hardware platform type and manufacturer.
  • PCR 2: Contains measurements related to the bootloader configuration, including the bootloader version and configuration parameters.
  • PCR 3: Contains measurements related to the kernel configuration, including the kernel version and configuration parameters.
  • PCR 4: Contains measurements related to the initial ramdisk (initrd), which is used to load the kernel.
  • PCR 5-7: Contains measurements related to the boot process, including boot loaders, configuration files, and platform-specific components.

It’s important to note that the specific measurements stored in each PCR may vary depending on the platform and the configuration of the system. Additionally, some PCR IDs may be used for different purposes depending on the system architecture or use case.

References