Cryptsetup mount TPM2 secured LUKS device

pinguin74 · December 9, 2023, 9:41pm

Hi there,

I have an external hard disk I use for backup purposes, it is LUKS2 encrypted and is not to be mounted automatically, but manually when needed with cryptsetup.

In order to get passwordless mounting I bound the TPM2 to this device:

backup3=“/dev/disk/by-partuuid/4735ca67-8b08-421c-9d19-96b1fb146304”

systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 ${backup3}

This worked well, as can be seen with

cryptsetup luksDump ${backup3}

 
# cryptsetup luksDump ${backup3} 
LUKS header information

Version:        2

Epoch:          6

Metadata area:  16384 [bytes]

Keyslots area:  2064384 [bytes]

UUID:           7bee973c-e82d-4e50-9571-e0d5f6def4c2

Label:          (no label)

Subsystem:      (no subsystem)

Flags:          (no flags)
Data segments:

0: crypt

offset: 2097152 [bytes]

length: (whole device)

cipher: aes-xts-plain64

sector: 512 [bytes]
Keyslots:
0: luks2
    Key:        512 bits
    Priority:   normal
    Cipher:     aes-xts-plain64
    Cipher key: 512 bits
    PBKDF:      argon2id
    Time cost:  4
    Memory:     1048576
    Threads:    4
    Salt:       a6 af 7e ba fc a3 98 e6 5c ac 1e e3 c1 8d 75 84 
                dd 4c 85 2a b4 f5 96 2a 36 9d 35 83 d7 55 f4 93 
    AF stripes: 4000
    AF hash:    sha256
    Area offset:290816 [bytes]
    Area length:258048 [bytes]
    Digest ID:  0

1: luks2
    Key:        512 bits
    Priority:   normal
    Cipher:     aes-xts-plain64
    Cipher key: 512 bits
    PBKDF:      pbkdf2
    Hash:       sha512
    Iterations: 1000
    Salt:       b0 b5 88 07 4a e1 31 7a ec a3 61 d8 ca 11 63 c5 
                bf be 79 50 70 4c 11 ef 8f c4 a9 14 4b f7 0e 88 
    AF stripes: 4000
    AF hash:    sha512
    Area offset:32768 [bytes]
    Area length:258048 [bytes]
    Digest ID:  0

Tokens:
0: systemd-tpm2

Keyslot:    1
Digests:

0: pbkdf2

Hash:       sha512

Iterations: 124356

Salt:       01 be 1a b8 43 6e d8 27 3e e4 fa 1e 4a 00 7f 67

e0 e7 59 59 a4 a4 f3 75 f3 30 ab f0 eb 34 ba 78

Digest:     f5 55 db 5f 98 4a cd 2c 52 61 a7 93 5b 27 24 34

f7 8c da 48

Below Tokens you can see token 0: was added to the device.

But, when I try to manually mount the device it fails:

#cryptsetup --verbose --token-only luksOpen ${backup3} cr_backup3
No usable token is available.
Command failed with code -1 (wrong or missing parameters).

When I specify slot 1 that is bound to the TPM2 token, it fails as well:

#cryptsetup --verbose --token-only --key-slot=1 luksOpen ${backup3} cr_backup3
No usable token is available.
Command failed with code -1 (wrong or missing parameters).

As said, I´d like to mount this device passwordless manually, is cryptsetup not able doing this? I’m on Leap 15.5.

Thanks for any hint.

PS, sorry for that bad formatting, I tried to use code tags, but they seem to not work here?

arvidjaar · December 10, 2023, 6:55am

You used systemd-cryptenroll to add TPM2 protected key, you need to use systemd-cryptsetup to unlock it.

They most certainly do. We have no idea what you did and what you call “code tags”, so it is hard to say more.

pinguin74 · December 16, 2023, 10:42am

So, there is 2 versions of cryptsetup, systemd-cryptsetup and “generic” cryptsetup from package cryptsetup? Leap 15.5 just comes with package cryptsetup. Thanks.

arvidjaar · December 16, 2023, 12:39pm

systemd-cryptsetup is provided by systemd package.

pinguin74 · December 16, 2023, 3:08pm

SOLVED.

The syntax I used was wrong, I missed a dash. This is now the syntax that works:

/usr/lib/systemd/systemd-cryptsetup attach cr_backup3 /dev/disk/by-uuid/FOO - tpm2-device=auto

I missed the dash before tpm2-device=auto.