ubuntu-24.04-cryptsetup-opal-tpm2-automatic-unlock.md

Ubuntu 24.04 命令行安装 + LUKS 硬件加密 (OPAL) + UEFI 引导 + TPM2 开机自动解密分区

Ubuntu 24.04 Command-line Installation + LUKS Hardware Encryption (OPAL) + UEFI + TPM2 Auto Unlock on Boot

使用 OPAL 硬件加密的磁盘性能和未加密时保持一致

The performance of disks with Opal hardware encryption remains consistent with that of unencrypted disks.

以下为 LiveCD 环境中运行

The following steps are performed in the LiveCD environment.

sudo -i

安装必要的工具和软件包

Install the required tools and packages:

apt update
apt install parted cryptsetup debootstrap

使用 OPAL 硬件加密的磁盘执行恢复

Reset the OPAL hardware encryption on the disk:

cryptsetup luksErase --hw-opal-factory-reset /dev/nvme0n1

对磁盘进行分区，创建 GPT 分区表

Partition the disk and create a GPT partition table:

parted /dev/nvme0n1 mklabel gpt
parted /dev/nvme0n1 mkpart ESP fat32 1MiB 513MiB
parted /dev/nvme0n1 set 1 esp on
parted /dev/nvme0n1 mkpart primary ext4 513MiB 1537MiB
parted /dev/nvme0n1 mkpart primary ext4 1537MiB 100%

格式化分区，创建文件系统

Format the partitions and create file systems:

mkfs.fat -F32 /dev/nvme0n1p1
mkfs.ext4 /dev/nvme0n1p2

使用 LUKS 设置 OPAL 硬件加密

Set up LUKS encryption with OPAL hardware encryption:

cryptsetup luksFormat /dev/nvme0n1p3 --type luks2 --hw-opal-only

打开加密的分区

Open the encrypted partition:

cryptsetup open /dev/nvme0n1p3 luks-disk-uuid

在加密的分区上创建文件系统

Create the file system on the encrypted partition:

mkfs.ext4 /dev/mapper/luks-disk-uuid

Chroot 并安装 Ubuntu

Mount the partitions and chroot into the installation environment:

mount /dev/mapper/luks-disk-uuid /mnt
mkdir -p /mnt/boot
mount /dev/nvme0n1p2 /mnt/boot
mkdir -p /mnt/boot/efi
mount /dev/nvme0n1p2 /mnt/boot/efi

debootstrap noble /mnt http://archive.ubuntu.com/ubuntu/

for i in /dev /proc /sys /run; do mount --bind $i /mnt$i; done
chroot /mnt

在 Chroot 环境中安装必要的软件包

Install essential packages in the chroot environment:

cat << EOF > /etc/apt/sources.list
deb http://us.archive.ubuntu.com/ubuntu noble main universe multiverse restricted
deb http://us.archive.ubuntu.com/ubuntu noble-updates main universe multiverse restricted
deb http://us.archive.ubuntu.com/ubuntu noble-backports main universe multiverse restricted
deb http://security.ubuntu.com/ubuntu noble-security main universe multiverse restricted
EOF

apt update
apt install vim linux-image-generic grub-efi-amd64 cryptsetup initramfs-tools shim-signed grub-efi-amd64-signed

编辑 crypttab 配置文件

Edit the crypttab configuration file:

cat << EOF > /etc/crypttab
# <name>               <device>                         <password> <options>
luks-disk-uuid      UUID=PARTUUID_GOES_HERE     -     luks
EOF

编辑 fstab 配置文件

Edit the fstab configuration file:

cat << EOF > /etc/fstab
/dev/mapper/luks-disk-uuid / ext4 noatime,discard,defaults 0 1
UUID=nvme0n1p2-uuid /boot ext4 noatime,discard,defaults 0 2
UUID=nvme0n1p1-uuid /boot/efi vfat umask=0077 0 1
EOF

安装 GRUB

Install and configure the bootloader GRUB:

grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=ubuntu
update-initramfs -u
update-grub

添加普通用户

Add a regular user:

adduser myuser  # 创建用户 myuser
usermod -aG sudo myuser  # 让 myuser 加入 sudo 组
passwd myuser  # 设置 myuser 密码

安装桌面环境

Install the Ubuntu desktop environment:

apt install ubuntu-desktop

重启系统, 正常情况下，会引导进入ubuntu，并要求输入磁盘密码

Reboot the system and it should boot into Ubuntu, asking for the disk password.

TPM2 Auto-Unlock 配置

TPM2 自动解锁分区可以通过 dracut（tpm2-tss）或 clevis、mkinitcpio 等工具实现。这里我们选择使用 clevis。

TPM2 auto-unlock can be configured using tools like dracut (tpm2-tss), clevis, or mkinitcpio. Here we will use clevis.

dracut方式可能由于systemd版本太老，在Ubuntu上无法正常通过TPM2解密分区（Deepin Linux 25 正常），非TPM2可能正常，详见参考文档。

The dracut method may not work properly for decrypting partitions with TPM2 on Ubuntu due to an older version of systemd (works fine on Deepin Linux 25), but non-TPM2 decryption may work normally. See the reference documentation for details.

安装 clevis 和 TPM2 工具

Install clevis and TPM2 related tools:

sudo -i
apt install clevis clevis-luks clevis-tpm2 tpm2-tools clevis-initramfs

将 LUKS 分区绑定到 TPM2

Bind the LUKS partition to TPM2:

clevis luks bind -d /dev/nvme0n1p3 tpm2 '{"pcr_ids":"7", "pcr_bank":"sha256"}'
clevis luks list -d /dev/nvme0n1p3

编辑 GRUB 配置文件以启用 TPM2 自动解锁

Edit the GRUB configuration file to enable TPM2 auto-unlock:

cat << EOF > /etc/default/grub
GRUB_CMDLINE_LINUX="rd.auto rd.luks=1"
EOF

更新 initramfs 和 GRUB 配置

Update initramfs and GRUB configurations:

update-initramfs -u -k all
update-grub

重启系统, 正常情况下，会引导进入ubuntu，仍然会显示输入磁盘密码， 同时会自动解锁磁盘进入系统

Reboot and test. Under normal circumstances, it should boot into Ubuntu, still prompt for the disk password, and will automatically unlock the disk to enter the system.

参考文献

References

• Encrypted Root with LUKS and Opal
• Debian on Self Encrypting Drive using cryptsetup OPAL support
• GRUB EFI Reinstall on LUKS
• Framework Computer Software Firmware Issue Tracker
• How to enable OPAL hardware encryption? (Reddit)
• Does cryptsetup 2.7.0's OPAL support work on... (Reddit)
• Ubuntu 24.04 LUKS2 TPM2 Auto Unlock
• Ubuntu Core Full Disk Encryption Documentation
• 如何在 Linux 中使用 Fio 来测评硬盘性能
• Arch Linux Forum - Failed to unseal secret using TPM2: State not recoverable
• How to enable systemd-cryptenroll TPM2 support in Impish Indri
• Ultimate Guide to Full Disk Encryption with LUKS (Reddit)
• LUKS TPM2 Auto Unlock at Boot - systemd-cryptenroll
• Debian Forum - LUKS+TPM2 unattended boot on Debian 12
• How to install Full Ubuntu Desktop after Minimal Installation
• Unlocking LUKS Encrypted Volumes using TPM 2.0 (openSUSE Forum)
• Arch Linux Wiki - Trusted Platform Module
• Rear User Guide - TCG OPAL Support
• Framework Community - TPM2 Autodecrypt Setup Guide
• Using systemd-cryptenroll with FIDO U2F or TPM2 to Decrypt Your Disk (Fedora Magazine)
• Dracut Manual - Usage and TCG OPAL
• Ubuntu 24.04 fresh install guide