Description
Hi There,
I successfully managed to encrypt the room partition (Raspberry Pi 4B) using your script https://github.com/gitbls/sdm/blob/master/Docs/Disk-Encryption.md.
sudo sdm-cryptconfig --crypto xchacha
I'd like to use LetsTrust TPM to securely store the decryption key so that the root partition would auto decrypt/mount on boot (no need to manually enter password).
https://thepihut.com/products/letstrust-tpm-for-raspberry-pi?srsltid=AfmBOorMdJljiZzFQb3_5Vs4V3cKBwqbeUDvbIbudr7b5chUJCCtwSd-
I've tried to get it working but boot either continues to ask for password or shows initramfs prompt (if I have used update-initramfs as per step 7). I had successfully used the TPM to auto decrypt an encrypted file on /root, so it should be along these lines (after root has already been encrypted using sdm):
-
Enable the tpm in
/boot/firmware/config.txt
dtoverlay=tpm-slb9670 -
Install tpm packages
sudo apt --yes install libtss2-* tpm-udev tpm2-abrmd tpm2-tools
sudo usermod --append --groups tss $(whoami)
sudo reboot
-
Reboot
sudo reboot -
Test tpm
tpm2 getcap properties-fixed -
Enroll the disk with tpm
sudo systemd-cryptenroll --tpm2-device=auto
-
Update
/etc/crypttab
cryptroot /dev/mmcblk0p2 none tpm2-device=auto,discard -
Update initramfs
sudo update-initramfs -u
Maybe I need to include some tpm modules in /etc/initramfs-tools/modules?
So wondering
- Any suggestions / ideas how to debug / resolve?
- Could support be integrated in your scripts.
Any help much appreciated