Auto mounting LUKS with TMP2

Hi to all,
I’m trying to get a non-root partition encrypted with LUKS decrypted and mounted automatically using TMP2. Unfortunately, I’m not able to get this working. At every reboot, I need to manually insert the password to unlock the partition and continue to the login screen. I’m currently using a fresh installation of Fedora 40.
Here are some details about what I’ve done so far.
First some hardware configuration.

$ inxi -Fxz
System:
  Kernel: 6.8.11-300.fc40.x86_64 arch: x86_64 bits: 64 compiler: gcc
    v: 2.41-37.fc40
  Desktop: GNOME v: 46.2 Distro: Fedora Linux 40 (Workstation Edition)
Machine:
  Type: Laptop System: LENOVO product: 20N6001JUK v: ThinkPad P53s
    serial: <superuser required>
  Mobo: LENOVO model: 20N6001JUK v: SDK0J40697 WIN
    serial: <superuser required> UEFI: LENOVO v: N2IETA4W (1.82 )
    date: 02/22/2024
Battery:
  ID-1: BAT0 charge: 45.6 Wh (94.8%) condition: 48.1/57.0 Wh (84.4%)
    volts: 12.3 min: 11.5 model: SMP 02DL012 status: discharging
CPU:
  Info: quad core model: Intel Core i7-8665U bits: 64 type: MT MCP
    arch: Comet/Whiskey Lake note: check rev: C cache: L1: 256 KiB L2: 1024 KiB
    L3: 8 MiB
  Speed (MHz): avg: 537 high: 700 min/max: 400/4800 cores: 1: 700 2: 600
    3: 700 4: 400 5: 700 6: 400 7: 400 8: 400 bogomips: 33599
  Flags: avx avx2 ht lm nx pae sse sse2 sse3 sse4_1 sse4_2 ssse3 vmx
Graphics:
  Device-1: Intel WhiskeyLake-U GT2 [UHD Graphics 620] vendor: Lenovo
    driver: i915 v: kernel arch: Gen-9.5 bus-ID: 00:02.0
  Device-2: NVIDIA GP108GLM [Quadro P520] vendor: Lenovo driver: nvidia
    v: 550.78 arch: Pascal bus-ID: 3c:00.0
  Device-3: Chicony ThinkPad T490 Webcam driver: uvcvideo type: USB
    bus-ID: 1-8:3
  Display: wayland server: X.Org v: 24.1 with: Xwayland v: 24.1.0
    compositor: gnome-shell driver: dri: iris gpu: i915
    resolution: 1920x1080~60Hz
  API: OpenGL v: 4.6 vendor: intel mesa v: 24.0.8 glx-v: 1.4
    direct-render: yes renderer: Mesa Intel UHD Graphics 620 (WHL GT2)
  API: EGL Message: EGL data requires eglinfo. Check --recommends.
Audio:
  Device-1: Intel Cannon Point-LP High Definition Audio vendor: Lenovo
    driver: snd_hda_intel v: kernel bus-ID: 00:1f.3
  API: ALSA v: k6.8.11-300.fc40.x86_64 status: kernel-api
  Server-1: JACK v: 1.9.22 status: off
  Server-2: PipeWire v: 1.0.7 status: active
Network:
  Device-1: Intel Cannon Point-LP CNVi [Wireless-AC] driver: iwlwifi v: kernel
    bus-ID: 00:14.3
  IF: wlp0s20f3 state: up mac: <filter>
  Device-2: Intel Ethernet I219-LM vendor: Lenovo driver: e1000e v: kernel
    port: N/A bus-ID: 00:1f.6
  IF: enp0s31f6 state: down mac: <filter>
Bluetooth:
  Device-1: Intel Bluetooth 9460/9560 Jefferson Peak (JfP) driver: btusb
    v: 0.8 type: USB bus-ID: 1-10:5
  Report: btmgmt ID: hci0 rfk-id: 4 state: up address: <filter> bt-v: 5.1
    lmp-v: 10
Drives:
  Local Storage: total: 476.94 GiB used: 26.35 GiB (5.5%)
  ID-1: /dev/nvme0n1 vendor: Western Digital model: PC SN720
    SDAQNTW-512G-1001 size: 476.94 GiB temp: 44.9 C
Partition:
  ID-1: / size: 271.44 GiB used: 25.25 GiB (9.3%) fs: btrfs
    dev: /dev/nvme0n1p6
  ID-2: /boot size: 973.4 MiB used: 463.1 MiB (47.6%) fs: ext4
    dev: /dev/nvme0n1p5
  ID-3: /boot/efi size: 996 MiB used: 657.6 MiB (66.0%) fs: vfat
    dev: /dev/nvme0n1p1
  ID-4: /home size: 271.44 GiB used: 25.25 GiB (9.3%) fs: btrfs
    dev: /dev/nvme0n1p6
Swap:
  ID-1: swap-1 type: zram size: 8 GiB used: 0 KiB (0.0%) dev: /dev/zram0
Sensors:
  System Temperatures: cpu: 43.0 C mobo: N/A
  Fan Speeds (rpm): N/A
Info:
  Memory: total: 32 GiB note: est. available: 30.97 GiB used: 5.78 GiB (18.7%)
  Processes: 356 Uptime: 5h 9m Init: systemd target: graphical (5)
  Packages: 30 Compilers: gcc: 14.1.1 Shell: Bash v: 5.2.26 inxi: 3.3.34

From here, https://fedoramagazine.org/automatically-decrypt-your-disk-using-tpm2/ I got the info about secure boot and TMP2 module

$ sudo dmesg | grep Secure
[    0.000000] secureboot: Secure boot enabled
[    0.000000] Kernel is locked down from EFI Secure Boot mode; see man kernel_lockdown.7
[    0.013549] secureboot: Secure boot enabled
[    5.665835] Bluetooth: hci0: Secure boot is enabled
[  950.920211] Bluetooth: hci0: Secure boot is enabled
[ 3714.754269] Bluetooth: hci0: Secure boot is enabled

$ sudo  dmesg | grep TPM
[    0.000000] efi: TPMFinalLog=0x6fca2000 SMBIOS=0x6ddca000 SMBIOS 3.0=0x6ddbd000 ACPI=0x6fd0e000 ACPI 2.0=0x6fd0e014 MEMATTR=0x687dc018 ESRT=0x6dba3000 MOKvar=0x6c1ad000 RNG=0x6fd0d018 TPMEventLog=0x486f2018 
[    0.013620] ACPI: TPM2 0x000000006DBDA000 000034 (v04 LENOVO TP-N2I   00001820 PTEC 00000002)

so I created a LUKS partition as described here https://docs.fedoraproject.org/en-US/quick-docs/encrypting-drives-using-LUKS/#_overview_of_luks, with the result shown below

$ lsblk
NAME                                          MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
zram0                                         252:0    0     8G  0 disk  [SWAP]
nvme0n1                                       259:0    0 476,9G  0 disk  
├─nvme0n1p1                                   259:1    0  1000M  0 part  /boot/efi
├─nvme0n1p2                                   259:2    0    16M  0 part  
├─nvme0n1p3                                   259:3    0   183G  0 part  
├─nvme0n1p4                                   259:4    0     1G  0 part  
├─nvme0n1p5                                   259:5    0     1G  0 part  /boot
├─nvme0n1p6                                   259:6    0 271,4G  0 part  /home
│                                                                        /
└─nvme0n1p7                                   259:7    0  19,5G  0 part  
  └─luks-f5578c88-e00f-4000-8c64-37542b3f7d6b 253:0    0  19,5G  0 crypt 

and

$ sudo cryptsetup isLuks /dev/nvme0n1p7 && echo Success
Success

I could provide the output of sudo cryptsetup luksDump /dev/nvme0n1p7 if necessary.
Then I followed step by step the command in https://fedoramagazine.org/use-systemd-cryptenroll-with-fido-u2f-or-tpm2-to-decrypt-your-disk/

$ echo "add_dracutmodules+=\" tpm2-tss \"" | sudo tee /etc/dracut.conf.d/tpm2.conf
add_dracutmodules+=" tpm2-tss "

$ sudo systemd-cryptenroll --wipe-slot tpm2 --tpm2-device auto --tpm2-pcrs "0+1+2+3+4+5+7+9" /dev/nvme0n1p7

$ sudo dracut -f

Here my /etc/crypttab

$ cat /etc/crypttab 
luks-f5578c88-e00f-4000-8c64-37542b3f7d6b	 UUID=f5578c88-e00f-4000-8c64-37542b3f7d6b  tpm2-device=auto,tpm2-pcrs=0+1+2+3+4+5+7+9

At this point, adding the following line in /etc/fstab causes an error that locks the whole boot process.

#UUID=/dev/mapper/luks-f5578c88-e00f-4000-8c64-37542b3f7d6b	/home/LUKS	ext4	defaults	0 0

While deleting (commented) make the LUKS password prompt appear at boot.
Surely I’m missing something, but I can’t actually figure it out.
I tried to be as detailed as I can. Any advice would be appreciated.
Many thanks in advance.

You could add nofail to the options for that entry in fstab to allow the system to continue booting when the device does not mount.

You could also test that fstab entry after creating it to verify it works properly by using sudo mount -a. This way you are certain it will work and not cause a lock up during boot.

I don’t use luks so cannot assist with that part, but my comments are related to using fstab and testing the entries there. There are many options that apply to the mount command and can be used in /etc/fstab.

I am guessing here, but maybe there is another option to be used in fstab for encrypted file systems.

2 Likes

At a guess, it’s probably the PCR set, try using just PCR 7.
Since Fedora updates so often, PCR 4-5,8-9 can easily change on a day by day basis.

:stop_sign:
Please do not, That’s the Dump for the Header. basically showing Key slots and other information.

I played around with LUKS partitions for some days. Thanks to previous suggestion I added nofail option to /etc/fstab and changed the value of PCR to just 7.

At this point the system boot normally, the encrypted volume is decrypted automatically but I still can’t mount it at the boot.
I have to mount it once logged in with:

sudo  mount /dev/mapper/luks-f5578c88-e00f-4000-8c64-37542b3f7d6b /home/LUKS

Deleting the nofail option and trying with mount -a i get:

$ sudo mount -a
mount: /home/LUKS: can't find UUID=luks-f5578c88-e00f-4000-8c64-37542b3f7d6b

My fstab entry now looks like:

UUID=luks-f5578c88-e00f-4000-8c64-37542b3f7d6b  /home/LUKS      auto    defaults,nofail 0 0

I can’t go any further. BTW it is an acceptable result. If you have other suggestions, I would be happy to give them a try.
Thanks

What is the UUID of the file system for that device?

You should be able to confirm the UUID with lsblk -f.
That should show the device UUID as well as the luks UUID

1 Like

I missed posting a gparted screenshot . . .

Hi to all,
here the output of lsblk -f:

lsblk -f
NAME FSTYPE FSVER LABEL  UUID                                 FSAVAIL FSUSE% MOUNTPOINTS
zram0
                                                                             [SWAP]
nvme0n1
│                                                                            
├─nvme0n1p1
│    vfat   FAT32 SYSTEM 7A22-5642                             338,4M    66% /boot/efi
├─nvme0n1p2
│                                                                            
├─nvme0n1p3
│    ntfs                CEAEA204AEA1E565                                    
├─nvme0n1p4
│    ext4   1.0          937ee313-44fc-4ccb-8d8b-b7eca814ed73                
├─nvme0n1p5
│    ext4   1.0          845a8e43-a421-40c7-b844-83711af63217  448,2M    47% /boot
├─nvme0n1p6
│    btrfs        fedora c896efc8-8c01-42e3-8e40-eb2fca6434f6  244,1G     9% /home
│                                                                            /
└─nvme0n1p7
  │  crypto 2            f5578c88-e00f-4000-8c64-37542b3f7d6b                
  └─luks-f5578c88-e00f-4000-8c64-37542b3f7d6b
     ext4   1.0          33432b5c-ec42-4ad2-86c7-22427585dc51   

and a gparted screenshot

after mounting it with the above command:

paolo@fedora:~$ sudo mount /dev/mapper/luks-f5578c88-e00f-4000-8c64-37542b3f7d6b /home/LUKS/
[sudo] password di paolo: 
paolo@fedora:~$ lsblk -f
NAME                                          FSTYPE      FSVER LABEL  UUID                                 FSAVAIL FSUSE% MOUNTPOINTS
zram0                                                                                                                      [SWAP]
nvme0n1                                                                                                                    
├─nvme0n1p1                                   vfat        FAT32 SYSTEM 7A22-5642                             338,4M    66% /boot/efi
├─nvme0n1p2                                                                                                                
├─nvme0n1p3                                   ntfs                     CEAEA204AEA1E565                                    
├─nvme0n1p4                                   ext4        1.0          937ee313-44fc-4ccb-8d8b-b7eca814ed73                
├─nvme0n1p5                                   ext4        1.0          845a8e43-a421-40c7-b844-83711af63217  448,2M    47% /boot
├─nvme0n1p6                                   btrfs             fedora c896efc8-8c01-42e3-8e40-eb2fca6434f6  244,1G     9% /home
│                                                                                                                          /
└─nvme0n1p7                                   crypto_LUKS 2            f5578c88-e00f-4000-8c64-37542b3f7d6b                
  └─luks-f5578c88-e00f-4000-8c64-37542b3f7d6b ext4        1.0          33432b5c-ec42-4ad2-86c7-22427585dc51     18G     0% /home/LUKS

or

This shows you are not mounting it at /home, but instead at /home/LUKS.
Also, /home is btrfs on nvme0n1p6 and /home/LUKS is ext4 on nvme0n1p7.

That was my idea. To mount a separate partition for sensitive data. I’m not trying to mount my home partition.
I created /dev/nvme0n1p7, encrypted with LUKS and tried to auto-mount. I thought I could choose an arbitrary mount point.

1 Like

Is there a directory in your /home named LUKS. So that the mountpoint is there when you need to mount?

Just saw it is opened and mounted . . .

You can choose a mount point such as that, but the entry in fstab must point to the proper mount point.

This entry looks correct, but I would change the file system from auto to ext4 since that is the actual file system type.

Once again.
When making an entry into fstab, I suggest you always test the mounting before doing a reboot. Thus you should be able to do sudo umount /home/LUKS then after verifying that it is no longer mounted do sudo mount -a and it should mount properly. If it does not mount then something is wrong with the fstab entry. If it can be mounted by the mount -a command then it should auto-mount when you reboot.

Finally, you would need to verify it is properly owned to read/write from that partition so running sudo chown -R USER:USER /home/LUKS would be required before your user could access it.

In the /etc/fstab file there should be a reminder to run systemctl daemon-reload every time you make a change in that file (which should be done to make the system aware of the changes).

Finally I got this working.
When unmounted the output of lsblk -f looks like this one:

lsblk -f
NAME                                          FSTYPE      FSVER LABEL  UUID                                 FSAVAIL FSUSE% MOUNTPOINTS
zram0                                                                                                                      [SWAP]
nvme0n1                                                                                                                    
├─nvme0n1p1                                   vfat        FAT32 SYSTEM 7A22-5642                             338,4M    66% /boot/efi
├─nvme0n1p2                                                                                                                
├─nvme0n1p3                                   ntfs                     CEAEA204AEA1E565                                    
├─nvme0n1p4                                   ext4        1.0          937ee313-44fc-4ccb-8d8b-b7eca814ed73                
├─nvme0n1p5                                   ext4        1.0          845a8e43-a421-40c7-b844-83711af63217  448,2M    47% /boot
├─nvme0n1p6                                   btrfs             fedora c896efc8-8c01-42e3-8e40-eb2fca6434f6  243,9G     9% /home
│                                                                                                                          /
└─nvme0n1p7                                   crypto_LUKS 2            f5578c88-e00f-4000-8c64-37542b3f7d6b                
  └─luks-f5578c88-e00f-4000-8c64-37542b3f7d6b ext4        1.0          33432b5c-ec42-4ad2-86c7-22427585dc51     

As I understand there is a sub-volume under nvme0n1p7 which I named after the guide as
luks-f5578c88-e00f-4000-8c64-37542b3f7d6b. This seems associated to a new UUID (33432…)since I formatted the partition as ext4.
Using this UUID in /etc/fstab makes everything working.
So this is the content of my /etc/fstab:


# /etc/fstab
# Created by anaconda on Mon May 13 08:52:13 2024
#
# Accessible filesystems, by reference, are maintained under '/dev/disk/'.
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info.
#
# After editing this file, run 'systemctl daemon-reload' to update systemd
# units generated from this file.
#
UUID=c896efc8-8c01-42e3-8e40-eb2fca6434f6 /                       btrfs   subvol=root,compress=zstd:1 0 0
UUID=845a8e43-a421-40c7-b844-83711af63217 /boot                   ext4    defaults        1 2
UUID=7A22-5642          /boot/efi               vfat    umask=0077,shortname=winnt 0 2
UUID=c896efc8-8c01-42e3-8e40-eb2fca6434f6 /home                   btrfs   subvol=home,compress=zstd:1 0 0
UUID=33432b5c-ec42-4ad2-86c7-22427585dc51       /home/LUKS      ext4    defaults        0 0

Here the output of lsblk -f after the mount -a command:

sudo mount -a
[sudo] password di paolo: 
paolo@fedora:~$ lsblk -f
NAME                                          FSTYPE      FSVER LABEL  UUID                                 FSAVAIL FSUSE% MOUNTPOINTS
zram0                                                                                                                      [SWAP]
nvme0n1                                                                                                                    
├─nvme0n1p1                                   vfat        FAT32 SYSTEM 7A22-5642                             338,4M    66% /boot/efi
├─nvme0n1p2                                                                                                                
├─nvme0n1p3                                   ntfs                     CEAEA204AEA1E565                                    
├─nvme0n1p4                                   ext4        1.0          937ee313-44fc-4ccb-8d8b-b7eca814ed73                
├─nvme0n1p5                                   ext4        1.0          845a8e43-a421-40c7-b844-83711af63217  448,2M    47% /boot
├─nvme0n1p6                                   btrfs             fedora c896efc8-8c01-42e3-8e40-eb2fca6434f6  243,9G     9% /home
│                                                                                                                          /
└─nvme0n1p7                                   crypto_LUKS 2            f5578c88-e00f-4000-8c64-37542b3f7d6b                
  └─luks-f5578c88-e00f-4000-8c64-37542b3f7d6b ext4        1.0          33432b5c-ec42-4ad2-86c7-22427585dc51     18G     0% /home/LUKS

I’m really not a linux expert. It should be nice to understand why mounting the partition with:

sudo  mount /dev/mapper/luks-f5578c88-e00f-4000-8c64-37542b3f7d6b /home/LUKS

works while including the this device’s name in /etc/fstab doesn’t.

I wonder if the Fedora guide shoul be corrected or not. Also it uses the command:

cryptsetup luksOpen <device> <name>

where the current syntax is:

cryptsetup open <device> <name>

Many many thanks for all the time you have spent to help me!

The above is device name
Below is the UUID for that device.
They are different and cannot be used interchangeably in fstab with UUID=....

Fstab could contain either /dev/mapper/luks-f5578c88-e00f-4000-8c64-37542b3f7d6b or UUID=33432b5c-ec42-4ad2-86c7-22427585dc51 but you cannot mix the device name with the UUID.