Use systemd-cryptenroll with FIDO U2F or TPM2 to decrypt your disk – Fedora Magazine

Use systemd-cryptenroll with FIDO U2F or TPM2 to decrypt your disk - Fedora Magazine

Fedora Workstation includes systemd-cryptenroll by default which makes adding alternative methods for unlocking LUKS partitions fairly straight forward. This article shows how to use either a TPM2 chip or a FIDO U2F security key as an alternative factor to the passphrase when unlocking your LUKS partitions.

Note: systemd-cryptenroll does not work with LUKS1. LUKS1 volumes must be upgraded to LUKS2 to work with systemd-cryptenroll. Fedora Linux has used LUKS2 by default since release 30, but users who are using LUKS volumes that were created on older Fedora Linux releases will need to upgrade their LUKS volumes. References: documentation, discussion

Previous articles

A TPM2 chip is a little piece of storage with secure APIs where you can store secrets protected by Secure Boot. Secure Boot establishes a chain of trust by computing hashes based on, for example, hardware or software components. This way you can store a LUKS decryption key which is only accessible if the system is in a non-tampered state (in theory). Unfortunately, this means you’ll want to measure things like your initramfs and kernel into this state which means invalidating this factor every time you do a system upgrade. FIDO U2F keys do not suffer from this problem as they are not tied to the hardware platform.

Check out my previous article about using an integrated TPM2 secure storage device to learn more in-depth specifics about how TPM2-based unlocking works and its security implications.

The previous article, however, uses clevis which adds additional dependencies and has a more complex interface than using the already present systemd-cryptenroll.

A FIDO2 or FIDO U2F compliant key is an external storage device with secure APIs for storing and retrieving secrets. These keys can be used as a second- or sole-factor in authentication flows. Secrets never leave the device and verification is done on the client. So attack scenarios like fishing are mitigated by design as compared to other MFA (multi-factor authentication) technologies like TOTP (time-based one time passwords).

A previous post about FIDO U2F / FIDO2 keys here on Fedora Magazine showed how to set up those keys for Linux PAM authentication – primarily sudo and GNOME login.

Find your encrypted LUKS disks

For the following sections you need the filesystem path(s) to your LUKS encrypted partition(s). Use lsblk to find them.

$> lsblk
sda 8:0 1 0B 0 disk
sdb 8:16 1 0B 0 disk
zram0 252:0 0 8G 0 disk [SWAP]
nvme0n1 259:0 0 476.9G 0 disk
??nvme0n1p1 259:1 0 600M 0 part /boot/efi
??nvme0n1p2 259:2 0 1G 0 part /boot
??nvme0n1p3 259:3 0 475.4G 0 part ??luks-fdb98c38-... 253:0 0 475.3G 0 crypt /home /

Find the partition number(s) hosting the luks- partition of type crypt. In this case that’d be /dev/nvme0n1p3. Use this path as target for the following sections.

(Maybe) Get rid of clevis

Assuming you followed the previous post on using TPM2 you might want to unbind and remove clevis before proceeding with systemd-cryptenroll. Otherwise just skip this section.

First, remove any TPM2 binding from the LUKS secrets slots. Beware: do not remove slot 0 as it contains the passphrase binding!

$ sudo clevis luks list -d /dev/nvme0n1p3
... Slot 1 (or whichever is your TPM2 binding) ...
$ sudo clevis luks unbind -d /dev/nvme0n1p3 -s 1

Now remove the clevis packages.

sudo dnf remove -y clevis clevis-luks clevis-dracut clevis-udisks2 clevis-systemd

Choose TPM2 or FIDO as an alternative decryption method

The following steps are required for both methods. Choose one to your liking.

  • Add the corresponding dracut module so support is available in the initramfs at boot
  • Enroll / bind a LUKS secret slot tied to either the TPM2 or the FIDO key
  • Update /etc/crypttab with the new configuration
  • Rebuild the initramfs to apply the changes

It is important to run dracut last to not only include new dependencies but also your updated crypttab in the initramfs.

Use systemd-cryptenroll with a FIDO U2F key

Add the fido2 dracut module to your dracut configuration.

$ echo "add_dracutmodules+=" fido2 "" | sudo tee /etc/dracut.conf.d/fido2.conf
add_dracutmodules+=" fido2 "

Now enroll the FIDO key with your LUKS partition as an alternative decryption factor. See systemd-cryptenroll(1) for options to control features like touch or pin prompt. By default presence and pin are requested for enrollment and use.

sudo systemd-cryptenroll --fido2-device auto /dev/nvmen1p3

Update /etc/crypttab and append fido2-device=auto to the appropriate line’s options. A line in crypttab consists of four fields with the last one being a comma separated list.

Finally, rebuild your initramfs using dracut. The following command will rebuild your currently-booted initramfs slot.

sudo dracut -f

Don’t worry about the FIDO key not working or about losing it since the passphrase is still available as a fallback.

You’ll now be prompted at boot to enter the PIN of your FIDO key. Be aware that the PIN entry prompt looks exactly the same as the passphrase prompt. You will notice a difference only when using the terminal (which you can view by hitting the ESC key). After entering the correct PIN the hardware token will prompt you to touch it which (also) is not indicated on the prompt. If it does not prompt for a touch, then systemd-cryptenroll was not able to find a hardware token corresponding to the entered PIN.

Note: systemd-cryptenroll does not currently work with multiple connected hardware tokens.

Use systemd-cryptenroll with a TPM2 chip

Add the tpm2-tss module to your dracut configuration.

$ echo "add_dracutmodules+=" tpm2-tss "" | sudo tee /etc/dracut.conf.d/tpm2.conf
add_dracutmodules+=" tpm2-tss "

Enroll the TPM2 chip as alternative decryption factor for your LUKS partition(s). The ??wipe-slot tpm2 option ensures that after successful enrollment any previous bindings are removed. Use this command every time you need to update the binding.

sudo systemd-cryptenroll --wipe-slot tpm2 --tpm2-device auto --tpm2-pcrs "0+1+2+3+4+5+7+9" /dev/nvme0n1p3

Update /etc/crypttab and append tpm2-device=auto,tpm2-pcrs=0+1+2+3+4+5+7+9 to the appropriate line’s options, depending on the PCRs used. A line in crypttab consists of four fields with the last one being a plus separated list.

Last but not least, rebuild your initramfs using dracut. The following command will rebuild your currently booted initramfs slot.

sudo dracut -f

Alexander Wellbrock

Alex love for Free and Open Source Software ignited through his fascination of its design and principles. His private and professional lives are driven by the self-efficacy enabled through simple but beautiful, free and open systems. He is asking himself “How can we thrive through collaboration instead of competition?” and is certain the answer to this utilizes FOSS.