I’m new to the Fedora distro, however, have been a RHEL and CentOS admin for many years.
I just installed Fedora 33 Server using the Anaconda installer, booting off a LIve USB to configure and install this system. /dev/sda and /dev/sdb contain my /boot / swap /var and /home partitions and are NVMe drives, partitions are mirrored using mdadmin. /dev/sdc is a 50 TB /files partition (GPT) off an Adaptec RAID card (RAID5), it is encrypted using LUKS. I set this all up using Anaconda. When I boot up a process called plymouth (I think) asks me for the passphrase and my encrypted /files partitions mounts and works properly. None of my other partitions are encrypted, just /files.
I have a TPM2 module installed on the mobo (ASrock Rack) and I want to use this to do auto-decryption of /files, so I ran the following command post-boot (as root):
clevis luks bind -d /dev/sdc1 tpm2 ‘{“pcr_ids”:“0,1,2,3,4,5,6,7”}’
This appears to have worked, because I can successfully test by first umount /files and cryptsetup luksClose /dev/mapper/luks-blahblah, and then run:
clevis luks unlock -d /dev/sdc1
…and mount it manually. So clevis appears to be working, but when I boot or reboot the machine, even with clevis configured this way, plymouth is still prompting to enter a passphrase to decrypt the partition. The system just hangs there until I do so. I would like to run this system headless, so this is a bit of an issue I’d like to resolve.
I have tried different combinations of values for pcr_ids, like just using 0 or 1, but that doesn’t seem to change the behavior. I’m not sure if this is a clevis, plymouth or systemd issue; although I suspect the latter two more so than clevis, currently.
I should mention also, this is my first time using TPM2 and clevis; I have used TPM with trousers before.
I assume I am missing something obvious in my configuration here. For example, in the boot process, how does systemd know to call clevis instead of plymouth prompting for a passphrase?
Any help or guidance would be appreciated.
Thank you!
-Mike