This encrypts a partition with LUKS and uses the TPM2 to unlock the partition during boot.
Adapt start-qemu to support tpm2.
The implementation uses systemd-cryptenroll to add the TPM protected passphrase to the LUKS header. systemd-cryptenroll was added with systemd version > 248.
The following table shows the support of systemd-cryptenroll in Debian release.
| Debian version | systemd-cryptenroll suppported | | Buster(10) | No | | Bullseye(11) | with backports | | Bookworm(12) | yes |
I am currently testing a adaptation for Debian 11 (Bullseye) with clevis instead of systemd-cryptenroll. If clevis works I will sent a additional patch.
Changes v2: - rewrite for multiple partition - add rencrypt for populated partitions - encrypt /var and /home
Changes v3: - remove additional partition crypt_data - add Readme - fix KConfig - only systemd is from backports - start-qemu now checks .config.yaml for TPM2 support - correct whitespaces
Changes v4: - whitespaces - README add requirements for systemd 248 - Kconfig add help information - adapt commit message of patch 4 (add information about extra-space)
Changes v5: - rebase on origin/next - rename kas/opt/tpm.yml to kas/opt/encrypt-partitions.yml - Kconfig change help text and option name from IMAGE_TPM_ENCRYPTION to IMAGE_DATA_ENCRYPTION
Changes v6: - Fix .gitlabci.yml - use kas/opt/encrypt-partitions.yml - Fix start-qemu.sh - use IMAGE_DATA_ENCRYPTION - Avoid package clash by disabling all backport packages
Quirin Gylstorff (7): use bullseye backports for systemd-cryptenroll KConfig: add option to encrypt data partitions start-qemu.sh: Create a tpm2 device Add initramfs hook to encrypt a partition overlay: add prerequisite 'encrypt_partition' .gitlabci: Add ci build Add README for encrypted partitions
