This encrypts a partition with LUKS and uses the TPM2 to unlock the partition during boot.
Adapt start-qemu to support tpm2.
The implementation uses systemd-cryptenroll to add the TPM protected passphrase to the LUKS header. systemd-cryptenroll was added with systemd version > 248.
The following table shows the support of systemd-cryptenroll in Debian release.
| Debian version | systemd-cryptenroll suppported | | Buster(10) | No | | Bullseye(11) | with backports | | Bookworm(12) | yes |
Changes v2: - rewrite for multiple partition - add rencrypt for populated partitions - encrypt /var and /home
Changes v3: - remove additional partition crypt_data - add Readme - fix KConfig - only systemd is from backports - start-qemu now checks .config.yaml for TPM2 support - correct whitespaces
Quirin Gylstorff (8): linux-cip: update kernel configuration for tpm2 support use bullseye backports for systemd-cryptenroll KConfig: add tpm option start-qemu.sh: Create a tpm2 device Add initramfs hook to encrypt a partition overlay: add prerequisite 'encrypt_partition' .gitlabci: Add ci build Add README for encrypted partitions
