5

I have an Ubuntu 20.04 machine setup that I am trying to configure for disk encryption. I am trying to setup auto unlock, but my configuration has not worked so far, and I am always prompted for a password.

To do this I followed the following steps:

  1. sudo apt-get update and sudo apt-get install cryptsetup
  2. Check /dev/nvme0n1p3 -> sudo cryptsetup luksDump /dev/nvme0n1p3 -> No Tokens or Keyslots
  3. Install clevis, clevis-luks, clevis-dracut, clevis-udisks2, clevis-systemd, clevis-tpm2
  4. sudo clevis luks list -d /dev/nvme0n1p3 -> Empty
  5. echo <my password> | sudo clevis luks bind -d /dev/nvme0n1p3 tpm2 '{ "pcr_bank":"sha256", "pcr_ids": "7,11" }'
  6. sudo dracut -fv --regenerate-all
  7. Check sudo clevis luks list -d /dev/nvme0n1p3 -> 1: tpm2 '{"hash":"sha256","key":"ecc","pcr_bank":"sha256","pcr_ids":"7,11"}'
  8. lsblk -o NAME,UUID,MOUNTPOINT ->
├─nvme0n1p1                 <uuid1>                              /boot/efi
├─nvme0n1p2                 <uuid2>   /boot
└─nvme0n1p3                 <uuid3>   
  └─dm_crypt-0              <uuid4> 
    └─ubuntu--vg-ubuntu--lv <uuidd5>   /
  1. cat /etc/crypttab -> dm_crypt-0 UUID=<uuid3> none luks

When booting I do not notice any errors for cryptsetup, luks, tpm2. Googling around and checking others questions, I have also verified tried:

  1. sudo systemctl enable clevis-luks-askpass.path
  2. update-initramfs -c -k all -> Runs successfully

My fstab file doesn't actually list the encrypted partition: cat /etc/fstab ->

# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
# / was on /dev/ubuntu-vg/ubuntu-lv during curtin installation
/dev/disk/by-id/<Some id which I don't know the origin of> / ext4 defaults 0 1
# /boot was on /dev/nvme0n1p2 during curtin installation
/dev/disk/by-uuid/<uuid2> /boot ext4 defaults 0 1
# /boot/efi was on /dev/nvme0n1p1 during curtin installation
/dev/disk/by-uuid/<uuid1> /boot/efi vfat defaults 0 1
/swap.img   none    swap    sw  0   0

I've also tried manually adding in the partition to fstab but did not work.

No matter what I try, it always asks for password on boot.

What could I do to fix this?

Improve this question
1

1 Answer 1

Reset to default
1

I was missing: clevis-initramfs that needed to be installed. Once added the auto unlocker worked.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.