Clevis
TPM-Based Full Disk Encryption without Manual Passphrase Entry
Prerequisites
## TPM (Trusted Platform Module) - Version 2.0
sudo dmesg | grep -i tpm
Install
sudo apt install clevis clevis-luks clevis-initramfs clevis-tpm2
## Read the current SHA-256 PCR values:
sudo tpm2_pcrread
sudo clevis luks bind -d /dev/nvme0n1p3 tpm2 '{"pcr_bank":"sha256","pcr_ids":"0,7"}'
## Enter existing LUKS password:
sudo update-initramfs -u
## update-initramfs: Generating /boot/initrd.img-6.12.74+deb13+1-amd64
Confirmations
sudo clevis luks list -d /dev/nvme0n1p3
## 1: tpm2 '{"hash":"sha256","key":"ecc","pcr_bank":"sha256","pcr_ids":"0,7"}'
lsinitramfs /boot/initrd.img-$(uname -r) | grep clevis
## scripts/local-bottom/clevis
## scripts/local-top/clevis
## usr/bin/clevis
## usr/bin/clevis-decrypt
## usr/bin/clevis-decrypt-null
## usr/bin/clevis-decrypt-sss
## usr/bin/clevis-decrypt-tang
## usr/bin/clevis-decrypt-tpm2
## usr/bin/clevis-luks-common-functions
## usr/bin/clevis-luks-list
## usr/bin/clevis-luks-unlock
sudo cryptsetup luksHeaderBackup /dev/nvme0n1p3 --header-backup-file header.img
Management
## Unlock a LUKS device using Clevis-bound credentials:
sudo clevis luks unlock -d /dev/nvme0n1p3
## Remove a Clevis binding from a LUKS device (Slot 1):
sudo clevis luks unbind -d /dev/nvme0n1p3 -s 1
References