fedora-silverblue · stenwt · Apr 26, 2024 · Apr 27, 2024 · May 19, 2024 · Aug 18, 2024
diff --git a/modules/ROOT/pages/tips-and-tricks.adoc b/modules/ROOT/pages/tips-and-tricks.adoc
@@ -160,3 +160,20 @@ or setup shell `alias`es as needed to make them available to the CLI like so:
   $ alias evince="flatpak run org.gnome.Evince"
     # or alias evince="org.gnome.Evince"
   $ evince
+
+== Enabling TPM2 for LUKS 
+
+It is possible to use the TPM2 device in your machine to automatically decrypt your LUKS-encrypted device. It is important to note a few things regarding this setup: first, it is trading security for convenience. Anyone who has access to both the disk and the TPM2 device can unlock your data. Second, it is crucial to keep a LUKS passphrase in addition to the TPM2 device that you can use to unlock the LUKS device; if you update BIOS, or the kernel shim, or make other substantial changes to your device, the TPM will refuse to sign your session and you will fall back to manually entering a LUKS passphrase. In this case, you can re-enable TPM2 for unlocking by re-running the enroll command below. This tip assumes you have a single LUKS device created during the Anaconda installer; if you have more than one LUKS device, you will need to correctly identify the device you want to enroll. 
-It is possible to use the TPM2 device in your machine to automatically decrypt your LUKS-encrypted device. It is important to note a few things regarding this setup: first, it is trading security for convenience. Anyone who has access to both the disk and the TPM2 device can unlock your data. Second, it is crucial to keep a LUKS passphrase in addition to the TPM2 device that you can use to unlock the LUKS device; if you update BIOS, or the kernel shim, or make other substantial changes to your device, the TPM will refuse to sign your session and you will fall back to manually entering a LUKS passphrase. In this case, you can re-enable TPM2 for unlocking by re-running the enroll command below. This tip assumes you have a single LUKS device created during the Anaconda installer; if you have more than one LUKS device, you will need to correctly identify the device you want to enroll. 
+It's possible to use your machine's TPM2 device to automatically decrypt your LUKS-encrypted boot disk.
+
+It's important to understand that by doing this, you are trading security for convenience. When your LUKS device can be decrypted automatically by your TPM2 device, you are making this device more vulnerable to an ["evil maid attack"](https://en.wikipedia.org/wiki/Evil_maid_attack). Anybody with physical access to this machine will be able to access the data.
+
+It's crucial to keep a LUKS passphrase *in addition to* the TPM2 enrollment. If you update BIOS, the `shim` package, or make changes to your BIOS settings (in particular your Secure Boot configuration), the TPM2 unlock will not work and you will fall back to manually entering a LUKS passphrase. In this case, you can re-enable TPM2 for unlocking by re-running the enroll command below.
+
+This tip assumes you have a single LUKS device created during the Anaconda installer; if you have more than one LUKS device, you will need to correctly identify the boot device you want to enroll. 
-It is possible to use the TPM2 device in your machine to automatically decrypt your LUKS-encrypted device. It is important to note a few things regarding this setup: first, it is trading security for convenience. Anyone who has access to both the disk and the TPM2 device can unlock your data. Second, it is crucial to keep a LUKS passphrase in addition to the TPM2 device that you can use to unlock the LUKS device; if you update BIOS, or the kernel shim, or make other substantial changes to your device, the TPM will refuse to sign your session and you will fall back to manually entering a LUKS passphrase. In this case, you can re-enable TPM2 for unlocking by re-running the enroll command below. This tip assumes you have a single LUKS device created during the Anaconda installer; if you have more than one LUKS device, you will need to correctly identify the device you want to enroll. 
+It's possible to use your machine's TPM2 device to automatically decrypt your LUKS-encrypted boot disk.
+
+It's important to understand that by doing this, you are trading security for convenience. When your LUKS device can be decrypted automatically by your TPM2 device, you are making this device more vulnerable to an ["evil maid attack"](https://en.wikipedia.org/wiki/Evil_maid_attack). Anybody with physical access to this machine will be able to access the data.
+
+It's crucial to keep a LUKS passphrase *in addition to* the TPM2 enrollment. If you update BIOS, the `shim` package, or make changes to your BIOS settings (in particular your Secure Boot configuration), the TPM2 unlock will not work and you will fall back to manually entering a LUKS passphrase. In this case, you can re-enable TPM2 for unlocking by re-running the enroll command below.
+
+This tip assumes you have a single LUKS device created during the Anaconda installer; if you have more than one LUKS device, you will need to correctly identify the boot device you want to enroll. 
+
+To set up TPM2 unlocking, first, find the LUKS device you want to enroll. This is probably in `/etc/crypttab`. You can also use `sudo cryptsetup status /dev/mapper/luks*` to identify the device.
+
+Next, enable the required initramfs and kernel features. Note that the initramfs command below will overwrite any other initramfs changes you have made: 
+
+  $ sudo rpm-ostree kargs --append=rd.luks.options=tpm2-device=auto
+  $ sudo rpm-ostree initramfs --enable --arg=-a --arg=systemd-pcrphase
+
+Then, using the device you identified with 'crpysetup status' previously, enroll the device: 
-Then, using the device you identified with 'crpysetup status' previously, enroll the device: 
+ Enroll the identified device: 
-Then, using the device you identified with 'crpysetup status' previously, enroll the device: 
+ Enroll the identified device: 
+
+  $ sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 /dev/boot-device
+
+Reboot; you should not be prompted to enter your LUKS passphrase on boot.