Automatic unlocking of a LUKS partition at boot with a TPM 2.0
Wow what a title! With Windows if you BitLocker a drive you can have it automatically unlocked at boot if you have a compatible TPM. However, if you’ve installed Ubuntu with the default installer you’ve probably been frustrated that you have to enter the drive password on every boot.
This default is the safest option in terms of security – as long as the password is sufficiently complex and not written on a post-it on the machine. However, there is the other side to security where if human interaction is required then passwords tend to be shared, not changed and easy to enter. Wouldn’t it be great if you could have the drive automatically unlock at boot like with Windows? Well, you can with Clevis!
Not fully secure
Now it’s important to note that Linux does not support full trust in the boot environment, and even BitLocker has some vulnerabilities. As with all things security you have to consider the realistic attack vectors and which ones you wish to mitigate.
PCR Registers
The TPM offers various hashes that change when a certain action is performed on the hardware or certain software. A list is below, but more detail can be found in the Arch Wiki.
| PCR | Use |
| 0 | Core System Firmware executable code (aka Firmware) |
| 1 | Core System Firmware data (aka UEFI settings) |
| 2 | Extended or pluggable executable code |
| 3 | Extended or pluggable firmware data |
| 4 | Boot Manager |
| 5 | GPT/Partition Table |
| 6 | Resume from S4 and S5 Power State Events |
| 7 | Secure Boot State |
| 8 | Hash of the kernel command line |
| 9-10 | Reserved for Future Use |
| 11 | BitLocker Access Control |
| 12 | Data events and highly volatile events |
| 13 | Boot Module Details |
| 14 | Boot Authorities |
| 15-23 | Reserved for Future Use |
When you configure the automatic unlock you can select none, or as many of these values as you like as a way of invalidating the automatic-unlock process. At a minimum I would recommend using PCR 7 to ensure that the boot process hasn’t been tampered with. For a work PC the UEFI is unlikely to change so 0 and 1 also make very good candidates for registers to use that won’t require you to enter a password and reset the auto-unlock process.
Using Ubuntu 21.10 or later?
Hold up! If you’re running Ubuntu 21.10 or later you should be running systemd version 248 or greater. This has built-in support for unlocking LUKS partitions without requiring Clevis. The Arch Wiki has detail on using systemd unlock, but make sure to read carefully since there’s more to it when unlocking a root partition.
Setup Auto-Unlock
We finally get to the commands for setting up auto-unlock on Ubuntu!
First, install the software and refresh the TPM permissions:
$ sudo -i # apt install clevis clevis-tpm2 clevis-luks clevis-udisks2 clevis-systemd clevis-initramfs # udevadm trigger
Now, we need to check what banks are available in the TPM:
# tpm2_pcrread
You should get some output listing different hash algorithms. If there are no numbers next to the hash, you can’t use it for your key. SHA256 is a good hash algorithm and should be supported in most cases. Now we can add a key to the LUKS partition from Clevis, tied to the TPM:
# clevis luks bind -d /dev/nvme1n1p4 tpm2 '{"pcr_bank":"sha256","pcr_ids":"0,1,7"}'Remember, you can use whichever PCRs you like, but I would strongly recommend using at least number 7. Also make sure to update the partition to your specific drive, this should be the root partition for your Linux installation. You can store the keys for all other partitions in this partition so all other partitions also unlock. Only the root requires the TPM auto-unlock.
Finally, update the initramfs:
# update-initramfs -u -k 'all'
Done
If all has gone well, on your next boot the unlock password prompt should only appear for a short time. After a second or two, it should disappear as Clevis managed to unlock the partition for you. If anything changes that causes a PCR hash to change, the unlock will fail and you’ll need to enter password and regenerate the key. The regen steps are outlined in the Arch Wiki.