From Fedora Project Wiki
mNo edit summary
Line 23: Line 23:
  clevis luks bind -f -k- -d $DEV tpm2 '{}' <<< $YOUR_PASSPHRASE
  clevis luks bind -f -k- -d $DEV tpm2 '{}' <<< $YOUR_PASSPHRASE


Reboot the system and see if it is booted without user intervention.
= Results=
= Results=
#  The installed system should boot to log in without needing the passphrase for the encrypted filesystem.

Revision as of 19:46, 31 March 2020

Description

A simple validation test case for Clevis on Fedora IoT Edition. This test will require hardware with a Trusted Platform Module (TPM) or a virtual machines with an emulated TPM (you will need to install swtpm, swtpm-tools).

Setup

Install a system with an encrypted root filesystem. See this testcase for further details.

How to test

Verify decryption is working via TPM2

echo foo | clevis encrypt tpm2 '{}' | clevis decrypt

Get the UUID of the encrypted device

UUID=$(lsblk | grep luks | sed 's/^.*luks-//' | cut -d ' ' -f1)
DEV=$(blkid --uuid $UUID)

Check encryption details of the device

cryptsetup luksDump $DEV

Verify the passphrase before setting

cryptsetup luksOpen --test-passphrase --key-slot 0 $DEV && echo correct

Setup Clevis to decrypt via TPM2 on boot

clevis luks bind -f -k- -d $DEV tpm2 '{}' <<< $YOUR_PASSPHRASE

Reboot the system and see if it is booted without user intervention.

Results

  1. The installed system should boot to log in without needing the passphrase for the encrypted filesystem.