There is a solution but it’s not for everyone:
PC should be equipped with TPM2. /boot should reside on a separate un-encrypted partition. I managed to make it work with direct kernel booting (no GRUB), my luks partition gets decrypted with a TPM-sealed key which is being added to luks keyslot during the setup process. This makes system boot without any prompt for password, making the whole process look like Windows 10 boots up with BitLocker enabled (seamless, in one word). Also, it uses pcr values when decrypting a key, so if some malicious rootkit alters boot sequence or bootloader, the decryption will immediately fail and ask for a decryption phrase (which usually resides on keyslot 0 of luks volume).
In brief the installation process has to be done this way:
trizen -S tpm2-tools tpm2-tss luks-tpm mkinitcpio-tpm2-encrypt
After installation, there are several steps to make it work:
Creating of a pacman hook to set a temporary passphrase when kernel, rEFInd binary, etc gets updated (not necessary now as the tool got updated and Manjaro compatible pacman hook is now included):
echo -e '[Trigger]\nOperation = Install\nOperation = Upgrade\nOperation = Remove\nType = File\nTarget = boot/vmlinuz-*\nTarget = boot/intel-ucode.img\nTarget = usr/lib/initcpio/*\nTarget = usr/lib/systemd/boot/efi/linux*.efi.stub\nTarget = usr/share/refind/refind_x64.efi\n\n[Action]\nDescription = Adding temporary LUKS TPM key...\nWhen = PostTransaction\nExec = /usr/bin/luks-tpm2 temp' | sudo tee -a /etc/pacman.d/hooks/luks-tpm2.hook
As I use rEFInd and Secure Boot, I have some more hooks for auto-updating and auto-signing rEFInd binary and its ext4 driver (and kernel too). Let me know if you need to see this too.
Listing persistent handlers of your TPM2-device:
sudo tpm2_listpersistent -T device:/dev/tpmrm0
persistent-handle:0x81000001 key-alg:rsa hash-alg:sha256 object-attr:fixedtpm|fixedparent|sensitivedataorigin|userwithauth|noda|restricted|decrypt
persistent-handle:0x81000002 key-alg:rsa hash-alg:sha256 object-attr:fixedtpm|fixedparent|sensitivedataorigin|userwithauth|noda|restricted|sign
persistent-handle:0x81010001 key-alg:rsa hash-alg:sha256 object-attr:fixedtpm|fixedparent|sensitivedataorigin|adminwithpolicy|restricted|decrypt
- Creating parent encryption key in your TPM2:
sudo tpm2_createprimary -H o -g sha1 -G rsa -T device:/dev/tpmrm0
CreatePrimary Succeed ! Handle: 0x80000000
- Making your own persistent handler for it:
sudo tpm2_evictcontrol -A o -H 0x80000000 -S 0x81000003 -T device:/dev/tpmrm0
I used 0x81000003 (which was just created with the above command) because 0x81000001 and 2 others were already occupied by default (I suspect it was Windows who owned other handlers listed as per
Before proceeding you need to check your luks partition’s slots and adjust them as needed (
sudo cryptsetup luksKillSlot <device> 1,
sudo cryptsetup luksAddKey <device> -S 3 /crypto_keyfile.bin, etc):
sudo cryptsetup luksDump /dev/nvme0n1p5
AFAIR by default, Manjaro is being installed with 2 keyslots active, first (its number is 0) is for your phrase, second one (number 1) is
luks-tpm2 uses slots 1 and 2, so you should either add your
/crypto_keyfile.bin to another slot (i.g. 3 as shown above) or simply kill this slot 'cause there will be no need in it from now on. Or – it’s also an option – make adjustments in
/etc/default/luks-tpm2, corresponding variables are
RESET_KEY_SLOT=2. But pls don’t kill your slot 0 with your passphrase – it’s your fallback option if you do smth wrong.
This is an actual command for creating of TPM-sealed keyfile:
sudo luks-tpm2 -p /boot/keyfile -H 0x81000003 /dev/nvme0n1p5 init
Initializing LUKS TPM key for /dev/nvme0n1p5
WARNING: This will permanently delete the key in slot 1!
Do you wish to proceed? [Y/n]y
Enter any existing LUKS passphrase:
Generating new LUKS key…
Removing existing key from slot 1…
La ranura de claves 1 no está activa.
Adding new key to slot 1…
Sealing keyfile with the TPM…
tpm2 hook right before
encrypt one in
/etc/mkinitcpio.conf and regenerate initramfs with
sudo mkinitcpio -P.
Finally, bootloader’s parametres:
tpmkey=/dev/nvme0n1p2:/keyfile:0x81000003 tpmpcr=sha1:0,2,4,7 cryptdevice=PARTUUID=a8c19e8e-blah-blah-blah-your-usual-parametres, where
nvme0n1p2 is a
/boot partition where keyfiles were created,
/keyfile – a relative path to both keyfiles,
0x81000003 – above mentioned TPM handler,
sha1:0,2,4,7 - PCR values as per
What a wall of text, right? So many things must be configured. Of course all commands are not meant to be copied and pasted without proper adjustment for every single use case.
Maybe I will make it more readable or maybe not – I got tired while describing this
MOAR INFO HERE
PS: ATM it has some limitations like auto-assigning temporary passphrase works only with updating via pacman, while pamac (cli and gui) does not provide a request for user input.
PPS: Also this thing relies on tech that is under active development so sometimes there are some failures to compile and install tpm2-tss and so on, git versions may change in a way that breaks compatibility with luks-tpm2, etc.
I checked btw, this script works with LUKS v2 as well.